On 16.07.2012 12:50, Jack Black wrote:
Hi.

I am a network technician, working for a small company that is based
in the middle of nowhere in a camp up North, and we provide internet
to nearly 1000 clients. The managers of the camp have asked us to
implement a system where users will be directed to a page that has
some important, camp related information (safety policies, upcoming
events, fire warnings, etc.). Using squid and the ext_session_acl
helper, along with our Cisco router's WCCP, and some very helpful
advice from Amos, I have created such a system, and have been testing
it for the past few hours. While the test has been fairly short so
far, and has not been under full load (at peak times), it seems to be
working perfectly. The only thing stopping it from working at full
capacity now is the fact that our network is divided into multiple
subnets, and according to some forum posts I have read, the squid
proxy server and the clients have to be on the same subnet when using
WCCP and a GRE tunnel. I have tried to use ACLs on the Cisco router to direct clients from other subnets to the squid proxy, but as the posts suggested, those clients fail to connect. An image depicting the setup
can be found here:

http://dxgameunit.webs.com/subnet%20problem.png

Does anyone know if it is even theoretically possibly to have the
squid proxy and the clients in different subnets in this case? What
would that require? Is that something that needs to be addressed
through squid, the cisco router, or the iptables rules on the squid
proxy's OS?

Tal


The issue as you noted in earlier email is not Squid, nor anything on its machine. The ASA and in particular the use of WCCP and GRE it provides is directly causing it.

To resolve your problems you are therefore required to drop WCCP and GRE. Moving instead to true policy routing to pass packets to the Squid machine.

The routing topology in the ASA needs to move packets like so:
 if arriving from the client interface -> gateway via Squid
 if arriving from the Internet interface -> gateway via Squid
 else -> gateway per the packet destination IP.

Amos

Reply via email to