I'm having a problem getting wccp to work when there's a pix between my router and squid box. When I put my squid box on the same segment as the router (no pix in the middle), it works beautifully. There is _some_ communication going on when squid's behind the pix, because the router indicates it has found the cache (on the router, "sh ip wccp web-cache" shows "number of cache engines: 1". When I turn off the squid box, the router shows "number of cache engines: 0". I used a network sniffer to grab the traffic going to the squid box under both working (no pix) and non-working (pix in the middle) situations. When things are working, there's some UDP packets back and forth on port 2048 (the WCCP negotiation, I think). Then, there's a number of IP packets with GRE headers going back and forth between the router and cache. When the pix is in the middle, and I put the sniffer alongside the cache (so, I'm seeing the inbound stuff that made it through the pix and the outbound from the cache), the initial UDP traffic on port 2048 happens, but I see none of the GRE packets. As I've been debugging this, I've opened up the access list on the pix to allow any IP from the router, and any ICMP from the router to the cache. No difference. The only reference I've seen to GRE when I search this list and the Cisco list is in reference to tunnelling. Can someone clue me in how to allow GRE traffic through the PIX, or if I'm just completely insane for putting the cache behind the fw[0]? I'm hoping it's an access-list thing, rather than some VPN morass ;-) I can provide more details if needed. IOS on the pix is 5.3, all the WCCP stuff is version 1. TIA, - Joe [EMAIL PROTECTED] [0] the cache doesn't have any parent/child/sibling relationship to other cache's (it's standalone), so the whole issue about - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
