From: Guyler, Rik (rguyler@shp-dayton.org)
Date: Mon Aug 29 2005 - 14:39:54 GMT-3
I have a 3030 Concentrator, PIX, and a pair of 3725 routers that reside in a
perimeter private (10.10.180.0/24) subnet. The PIX and Concentrator both
have interfaces in this subnet and interfaces in public address space. The
3725's sit between the 10.10.180.0/24 subnet and the rest of my private
network.
Addressing involved: 3725's = 10.10.180.1 (VRRP address), PIX =
10.10.180.4, Concentrator = 10.10.180.5
Remote VPN sites using 3002 hardware clients come into our network via the
Concentrator and terminate in the 10.10.180.0/24 subnet. For Internet
access from these VPN remote sites, the Concentrator sends that traffic
directly to the PIX, which bypasses Websense filtering since the traffic
never hits the 3725's running WCCP. I want to change the inside gateway on
the Concentrator to poin to the 3725's instead but I believe the 3725's will
use an ICMP redirect to allow the Concentrator to send traffic directly to
the PIX anyway, which will still bypass Websense.
I opened a case with TAC to see if I would break anything by turning off ip
redirects and the Engineer said if I do that to the 3725 interfaces that
also contain the WCCP config, it would break the WCCP redirects. However, I
don't know if I agree with that since everything I can find on "ip
redirects" seems only to involve ICMP and nothing else and as far as I know
WCCP doesn't use ICMP.
Can anybody verify whether or not this is true?
Here is the config for the interfaces on the 3725's that I want to disable
ICMP redirects:
interface FastEthernet0/0
description MB0GCR-IS-01-0/0
ip address 10.10.180.2 255.255.252.0
ip helper-address 10.10.9.90
ip wccp redirect exclude in
ip wccp web-cache redirect out
duplex auto
speed auto
vrrp 1 ip 10.10.180.1
vrrp 1 priority 200
End
Thanks,
Rik
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:20 GMT-3