Configuring WCCPv2 with a Dynamic IP

Setting up squid on Debian is fairly straight forward and my previous post explored that topic in depth. This time I want to share how I configured squid to communicate with my ASA 5505 which has a dynamic IP address. If you followed the earlier suggested guide you will notice it requires the ASA’s outside IP address. For a dynamic IP this would require editing the configuration each time. To avoid this I did the following:

Tell Debian to automatically load module ip_gre on boot by adding this line to ‘/etc/modules’:


On Debian instruct networking to launch the script wccp2 after the NIC is up:

iface eth0 inet static
        post-up /etc/network/if-up.d/wccp2

Save the following to ‘/etc/network/if-up.d/wccp2’:


EXT=$(curl -s

modprobe ip_gre
ip tunnel add wccp0 mode gre remote $EXT local dev eth0

ifconfig wccp0 netmask up
echo 0 >/proc/sys/net/ipv4/conf/wccp0/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 >/proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -j MASQUERADE

At this point you have the required tunnels built and you will notice the script grabs the internet facing IP using curl. If you do not have curl installed this will fail.

To get curl:

apt-get install curl

Finally, configure squid for wccpv2 by adding the following lines to ‘/etc/squid3/squid.conf’:

wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0

On the ASA you can monitor the status of wccp using the following command:

sh wccp

Sample Output:

ciscoasa# sh wccp

Global WCCP information:
    Router information:
	Router Identifier:         
	Protocol Version:                    2.0

    Service Identifier: web-cache
	Number of Cache Engines:             1
	Number of routers:                   1
	Total Packets Redirected:            5879091
	Redirect access-list:                wccp_redirect
	Total Connections Denied Redirect:   0
	Total Packets Unassigned:            40
	Group access-list:                   -none-
	Total Messages Denied to Group:      0
	Total Authentication failures:       0
	Total Bypassed Packets Received:     0

The number of cache engines should be 1 if squid is properly connected. If squid is connected but doesn’t appear to be working it means your GRE tunnel is not setup correctly. Check your IPs at this point.

Leave a Reply

Your email address will not be published. Required fields are marked *