The Web Cache Communication Protocol (WCCP) is a Cisco developed routing-protocol to maintain a transparent redirection of designate(or certain?) outbound traffics at the inbound Interface.
One or more Cache Proxy Server keep local copies of often “web” requested resources and answer the local request in real time that help in increasing your downstream bandwidth usage. The access and the download time of the web content will be improved significantly, you can also use the Cache proxy server as Web-Proxy-Server to control the internet traffic .
For a professional usage of WCCP you can use a security appliance like Sophos(Astaro) or BlueCoat ProxySG but you can also use a software based proxy server, I decided to use squid on a CentOS 64 Bit Linux machine, squid is most popular Linux proxy server for caching and filtering of websites, I know of some ISPs which are using squid and they are pretty pleased with it .
Before you begin you have to know that the Caching Proxy Server have to be in the same Interface to the Clients , it is the only topology which ASA supported the WCCP , for example you cannot run the Proxy Server in the management Network to use it for web redirection in the production Network . Many of problems regarding the WCCP located here, end of Configuration you realize that it does not work and believe me it is very disappointed.
WCCP Configuration on ASA
We begin with the configure the WCCP on the ASA , the configuration of a Cisco Router or a Layer 3 Switch is very similar to the ASA .
First of all you have to create two ACLs , with the first ACL you tell the ASA who and where is (are) the Caching Porxy Sever, I name this ACL “wccp-server” :
access-list wccp-server extended permit ip host 172.16.1.100 any
With the other ACL you declare the clients and the traffic which should be intercepted. But off course you have to remove the proxy server from the client ACL:
1 2 3
access-list wccp-traffic line 1 extended deny ip host 172.16.8.100 any access-list wccp-traffic line 2 extended permit tcp ip 172.16.1.0 255.255.255.0 any eq www
Ok then we configure the WCCP protocol on the ASA and apply it to the interface, in this case the production interface :
wccp web-cache redirect-list wccp-traffic group-list wccp-server wccp interface production web-cache redirect in
you can always control and debugging you configuration by using :
show wccp Global WCCP information: Router information: Router Identifier: 172.16.1.254.254 Protocol Version: 2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected: 459 Redirect access-list: wccp-traffic Total Connections Denied Redirect: 0 Total Packets Unassigned: 0 Group access-list: wccp-server Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0
so Far so good , let’s go to run squid on the CentOS:
As I said I install the squid on CentOS 64Bit version6 but it works on all Debian System like Ubuntu too.
To install the squid please use the command :
yum install squid
I figured out that Linux Firewall (iptables) and Linux Security System (LINUXSE) block some client request and cause some unnecessary problems, my Server is behind the ASA and there is no NAT to bypass the ASA to reach the Server from Outside so I turn off the iptables LINUXSE:
1 2 3
service iptables stop chkconfig iptables off
to switch off the LINUXSE you have to open and change the LINUXSE config:
nano or vi /etc/selinux/config
replace the line from
save , done .
Now we configure the squid for the wccp , squid supports wccp version 2 and you have to tell him the IP address of the WCCP Router or in our case the ASA .
So open the squid.config :
And add follow line into :
1 2 3 4 5 6 7
wccp2_router 172.16.1.254 ( the IP address of ASA ) wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1
to use the transparent redirection add
http_port 3128 intercept
to the squid.conf and save and exit
Now start the squid on the CentOS und make sure that this service will be run after restart the Server :
1 2 3
service squid start chkconfig squid on
Actually the Configuration is ready to use , from now the ASA sends all web-request from the Network 192.168.1.0/24 to the squid he started to download the website and forwards it to the client, the proxy Server will also cashing the web contents for the next client request .
You can use the squid logs to see and control the configuration:
Now I would like to set up the URL-Filtering on squid
It is much easier to configure the URL Filtering on squid if you behave as you do that as a Cisco IOS ,
To define the pool of URLs we usualy use an ACL in IOS , the same concept we will use for the squid , only rather than an ACL we create file in there we determine the website which should be blocked.
So I create a file name blacklist.squid :
open the blacklist.squid and add the URLs which you mean they should be blocked:
1 2 3 4 5 6
nano /etc/squid/blacklist.squid #blocked sites www.rapidshare.com www.cisco.com www.site-x.com
and so on
Now open the squid configuration file :
Here you have to assign the ACL blacklist to the squid Configuration
1 2 3 4 5 6 7 8 9 10 11
# ACL BLACKLIST acl blacklist dstdomain "/etc/squid/blacklist.squid" then you have to tell the squid that the members of this ACL(file) should be blocked : # Deny access to BLACKLIST ACL http_access deny blacklist save and restart the squid service :
service squid restart
After restart the squid you can test it , go to a client and try to go to a blocked website, you should not able to access the webside , on your browser you should see the follow site from squid:
Here I try to go to cisco.com
Again you can see the blocked site in the squid logs:
1363337545.415 0 172.16.1.11 TCP_DENIED/403 4174 GET http://www.cisco.com/ - NONE/- text/html
To set up the URL-Keywords Filtering we use the same process like the URL-Filtering :
Create a file (ACL) name keywords.squid ( you can use what you want)
as in the blacklist open the keywords.squid and add the keywords which should be blocked .
Here are some regular expressions (regex) what I am choosing to block:
1 2 3 4 5 6 7
nano /etc/squid/keywords.squid #blocked keywords jobs face porn share download
save and exit
Open the squid configuration file:
Assign the ACL “keywords” to the squid.conf:
1 2 3
# ACL keywords acl blockkeywords url_regex -i "/etc/squid/keywords.squid"
Add a new “http_access deny” and bind it to the ACL “keyword”:
# Deny access to keywords ACL http_access deny keywords
save and restart the squid service again
service squid restart
The URL-Keywords-Filtering is not the same as the Web-Content-Filtering,
URL-Keywords-Filtering means that the inspector like compares the URL strings with his pool of regex , if there is some “match” with the URL-Strings; the website would be blocked .
The Web-Content-Filtering however checks the content of a website and compare it with a keyword’s database , of course is the Web-Content Filtering much more effective method to prevent web access to undesired sites but it sneed a high number of CPU and Memory usage so I would recommend to use a high performance NGF for Content Filtering , my favorite are here the Palo Alto NGF and the Cisco Ironport .
However the squid doesn’t support the Web-Content-Filtering anyway.
As I said you can see all Web request by using:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
I just tried to send all squid’s logs to a internal Logserver but I think if you have more as 10 clients it makes no sense because your Logserver will be flooding in a short time .
At the End you have to check the CPU and Memory on squid server periodically , if you have a lot of request and high loads sho should run the squid a dedicated powerful server .