Eu implemento este cenário:
ISP <==> ASA <==> SWITCH <==> LAN + SQUID
O servidor Squid está dentro da mesma Interface INSIDE ASA, mas com uma VLAN diferente.
tcpdump -nni wccp0 -p tcp and port 80
09:59:10.013059 IP 10.30.0.104.43210 > 134.170.58.121.80: Flags [S],
seq 28582661, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale
7], length 0
09:59:18.127053 IP 10.30.0.104.56278 >
45.121.219.210.80: Flags [S], seq 867504285, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:59:18.641802 IP
192.168.192.2.56099 > 140.108.21.70.80: Flags [R], seq 1167442925, win 0, length 0 09:59:19.126040 IP 10.30.0.104.56278 >
45.121.219.210.80: Flags [S], seq 867504285, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 09:59:21.130148 IP
10.30.0.104.56278 > 45.121.219.210.80: Flags [S], seq 867504285, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:59:25.134761 IP 10.30.0.104.56278 > 45.121.219.210.80: Flags [S],
seq 867504285, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale
7], length 0*
root@proxy-bsn:/home/test-proxy# iptables -S -t nat -v
-P PREROUTING ACCEPT -c 218 29419
-P INPUT ACCEPT -c 330 35243
-P OUTPUT ACCEPT -c 121 7535
-P POSTROUTING ACCEPT -c 121 7535
-A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -c **112 5824** -j DNAT --to-destination 10.30.0.120:3129
tcpdump
mostra que a caixa WCCP entre ASA e Proxy está funcionando bem, mas na perspectiva do cliente o erro do navegador é
This page can’t be displayed
assuma que o firewall está causando isso, então eu verifiquei e comprei:
$ sysctl -a | grep rp_filter
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.em1.arp_filter = 0
net.ipv4.conf.em1.rp_filter = 0
net.ipv4.conf.em2.arp_filter = 0
net.ipv4.conf.em2.rp_filter = 0
net.ipv4.conf.em3.arp_filter = 0
net.ipv4.conf.em3.rp_filter = 0
net.ipv4.conf.em4.arp_filter = 0
net.ipv4.conf.em4.rp_filter = 0
net.ipv4.conf.em49.arp_filter = 0
net.ipv4.conf.em49.rp_filter = 0
net.ipv4.conf.em50.arp_filter = 0
net.ipv4.conf.em50.rp_filter = 0
net.ipv4.conf.gre0.arp_filter = 0
net.ipv4.conf.gre0.rp_filter = 0
net.ipv4.conf.gretap0.arp_filter = 0
net.ipv4.conf.gretap0.rp_filter = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.wccp0.arp_filter = 0
net.ipv4.conf.wccp0.rp_filter = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.em1.stable_secret"
sysctl: reading key "net.ipv6.conf.em2.stable_secret"
sysctl: reading key "net.ipv6.conf.em3.stable_secret"
sysctl: reading key "net.ipv6.conf.em4.stable_secret"
sysctl: reading key "net.ipv6.conf.em49.stable_secret"
sysctl: reading key "net.ipv6.conf.em50.stable_secret"
sysctl: reading key "net.ipv6.conf.gre0.stable_secret"
sysctl: reading key "net.ipv6.conf.gretap0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
sysctl: reading key "net.ipv6.conf.wccp0.stable_secret"
$ sysctl -a | grep forwarding
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.em1.forwarding = 1
net.ipv4.conf.em1.mc_forwarding = 0
net.ipv4.conf.em2.forwarding = 1
net.ipv4.conf.em2.mc_forwarding = 0
net.ipv4.conf.em3.forwarding = 1
net.ipv4.conf.em3.mc_forwarding = 0
net.ipv4.conf.em4.forwarding = 1
net.ipv4.conf.em4.mc_forwarding = 0
net.ipv4.conf.em49.forwarding = 1
net.ipv4.conf.em49.mc_forwarding = 0
net.ipv4.conf.em50.forwarding = 1
net.ipv4.conf.em50.mc_forwarding = 0
net.ipv4.conf.gre0.forwarding = 1
net.ipv4.conf.gre0.mc_forwarding = 0
net.ipv4.conf.gretap0.forwarding = 1
net.ipv4.conf.gretap0.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.wccp0.forwarding = 1
net.ipv4.conf.wccp0.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.default.stable_secret"
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em1.stable_secret"
net.ipv6.conf.em1.forwarding = 1
net.ipv6.conf.em1.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em2.stable_secret"
net.ipv6.conf.em2.forwarding = 1
net.ipv6.conf.em2.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em3.stable_secret"
net.ipv6.conf.em3.forwarding = 1
net.ipv6.conf.em3.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em4.stable_secret"
net.ipv6.conf.em4.forwarding = 1
net.ipv6.conf.em4.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em49.stable_secret"
net.ipv6.conf.em49.forwarding = 1
net.ipv6.conf.em49.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.em50.stable_secret"
net.ipv6.conf.em50.forwarding = 1
net.ipv6.conf.em50.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.gre0.stable_secret"
net.ipv6.conf.gre0.forwarding = 1
net.ipv6.conf.gre0.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.gretap0.stable_secret"
net.ipv6.conf.gretap0.forwarding = 1
net.ipv6.conf.gretap0.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.wccp0.stable_secret"
net.ipv6.conf.wccp0.forwarding = 1
net.ipv6.conf.wccp0.mc_forwarding = 0
Não vejo nenhum problema. Há um artigo dizendo que a implantação do wccp com o ASA + Squid deve estar na mesma sub-rede. Bem, eu tentei isso e também falhou.
esta é minha caixa de proxy uname:
$ uname -a
Linux proxy-bsn 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
$ squid3 -v
Squid Cache: Version 3.3.8
http_port 3128
http_port 3129 intercept
wccp_version 4
wccp2_router 192.192.168.254
wccp2_forwarding_method gre
wccp2_return_method gre
Por fim, tento tocar o tcpdump na porta 3129 ... nada acontece.