Setting up squid on Debian is fairly straight forward and my previous post explored that topic in depth. This time I want to share how I configured squid to communicate with my ASA 5505 which has a dynamic IP address. If you followed the earlier suggested guide you will notice it requires the ASA’s outside IP address. For a dynamic IP this would require editing the configuration each time. To avoid this I did the following:
Tell Debian to automatically load module ip_gre on boot by adding this line to ‘/etc/modules’:
On Debian instruct networking to launch the script wccp2 after the NIC is up:
iface eth0 inet static address 192.168.1.2 netmask 255.255.255.0 gateway 192.168.1.1 post-up /etc/network/if-up.d/wccp2
Save the following to ‘/etc/network/if-up.d/wccp2’:
#!/bin/bash EXT=$(curl -s http://myip.dnsomatic.com/) modprobe ip_gre ip tunnel add wccp0 mode gre remote $EXT local 192.168.1.2 dev eth0 ifconfig wccp0 192.168.1.2 netmask 255.255.255.255 up echo 0 >/proc/sys/net/ipv4/conf/wccp0/rp_filter echo 0 >/proc/sys/net/ipv4/conf/eth0/rp_filter echo 1 >/proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A POSTROUTING -j MASQUERADE
At this point you have the required tunnels built and you will notice the script grabs the internet facing IP using curl. If you do not have curl installed this will fail.
To get curl:
apt-get install curl
Finally, configure squid for wccpv2 by adding the following lines to ‘/etc/squid3/squid.conf’:
wccp2_router 192.168.1.1 wccp2_forwarding_method gre wccp2_return_method gre wccp2_service standard 0
On the ASA you can monitor the status of wccp using the following command:
ciscoasa# sh wccp Global WCCP information: Router information: Router Identifier: xxx.xxx.xxx.xxx Protocol Version: 2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected: 5879091 Redirect access-list: wccp_redirect Total Connections Denied Redirect: 0 Total Packets Unassigned: 40 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0
The number of cache engines should be 1 if squid is properly connected. If squid is connected but doesn’t appear to be working it means your GRE tunnel is not setup correctly. Check your IPs at this point.