On 16.07.2012 12:50, Jack Black wrote:
> Hi.
>
> I am a network technician, working for a small company that is based
> in the middle of nowhere in a camp up North, and we provide internet
> to nearly 1000 clients. The managers of the camp have asked us to
> implement a system where users will be directed to a page that has
> some important, camp related information (safety policies, upcoming
> events, fire warnings, etc.). Using squid and the ext_session_acl
> helper, along with our Cisco router's WCCP, and some very helpful
> advice from Amos, I have created such a system, and have been testing
> it for the past few hours. While the test has been fairly short so
> far, and has not been under full load (at peak times), it seems to be
> working perfectly. The only thing stopping it from working at full
> capacity now is the fact that our network is divided into multiple
> subnets, and according to some forum posts I have read, the squid
> proxy server and the clients have to be on the same subnet when using
> WCCP and a GRE tunnel. I have tried to use ACLs on the Cisco router
> to
> direct clients from other subnets to the squid proxy, but as the
> posts
> suggested, those clients fail to connect. An image depicting the
> setup
> can be found here:
>
> http://dxgameunit.webs.com/subnet%20problem.png
>
> Does anyone know if it is even theoretically possibly to have the
> squid proxy and the clients in different subnets in this case? What
> would that require? Is that something that needs to be addressed
> through squid, the cisco router, or the iptables rules on the squid
> proxy's OS?
>
> Tal
The issue as you noted in earlier email is not Squid, nor anything on
its machine. The ASA and in particular the use of WCCP and GRE it
provides is directly causing it.
To resolve your problems you are therefore required to drop WCCP and
GRE. Moving instead to true policy routing to pass packets to the Squid
machine.
The routing topology in the ASA needs to move packets like so:
if arriving from the client interface -> gateway via Squid
if arriving from the Internet interface -> gateway via Squid
else -> gateway per the packet destination IP.
Amos
Received on Mon Jul 16 2012 - 01:59:54 MDT
This archive was generated by hypermail 2.2.0 : Thu Jul 19 2012 - 12:00:02 MDT