From: Guyler, Rik (rguyler@shp-dayton.org)
Date: Mon Aug 29 2005 - 15:42:47 GMT-3
Scott thanks for the confirmation. I'm not trying to run WCCP through the
PIX...tried that before and it wasn't pretty... ;-) Content Engine is in
the same subnet as everything else.
Maybe I should have just made the changes I thought necessary but was
wanting confirmation from TAC beforehand. I support thousands of users so
even "breaking" the Internet can be the end of the world around here hehe.
I like the way the PIX integrates with Websense better but for the reason
above, changing the integration is no small feat unless a rebuild of
Websense is no longer needed to do this (used to be as I recall). Changing
the inside gateway on the Concentrator is the solution with the least
negative impact so long as I can turn off the ICMP redirects without
breaking Websense filtering altogether, which looks like it will work.
Rik
-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: Monday, August 29, 2005 2:27 PM
To: 'Guyler, Rik'; ccielab@groupstudy.com
Subject: RE: ICMP and WCCP redirects
The TAC engineer was mistaken. ICMP redirects are when a router thinks you
are going the wrong direction and is trying to help you. WCCP redirect is a
completely different beast and happens transparent to the end user. That's
actually application driven by your web-cache.
Bear in mind though that if you are using the web-cache to actually cache
pages, it does so by spoofing clients'n'server Ips. If trying to do this
through a PIX (web-cache separate from users) the PIX gets really pissed.
HTH,
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Guyler, Rik
Sent: Monday, August 29, 2005 1:40 PM
To: ccielab@groupstudy.com
Subject: OT: ICMP and WCCP redirects
I have a 3030 Concentrator, PIX, and a pair of 3725 routers that reside in a
perimeter private (10.10.180.0/24) subnet. The PIX and Concentrator both
have interfaces in this subnet and interfaces in public address space. The
3725's sit between the 10.10.180.0/24 subnet and the rest of my private
network.
Addressing involved: 3725's = 10.10.180.1 (VRRP address), PIX =
10.10.180.4, Concentrator = 10.10.180.5
Remote VPN sites using 3002 hardware clients come into our network via the
Concentrator and terminate in the 10.10.180.0/24 subnet. For Internet
access from these VPN remote sites, the Concentrator sends that traffic
directly to the PIX, which bypasses Websense filtering since the traffic
never hits the 3725's running WCCP. I want to change the inside gateway on
the Concentrator to poin to the 3725's instead but I believe the 3725's will
use an ICMP redirect to allow the Concentrator to send traffic directly to
the PIX anyway, which will still bypass Websense.
I opened a case with TAC to see if I would break anything by turning off ip
redirects and the Engineer said if I do that to the 3725 interfaces that
also contain the WCCP config, it would break the WCCP redirects. However, I
don't know if I agree with that since everything I can find on "ip
redirects" seems only to involve ICMP and nothing else and as far as I know
WCCP doesn't use ICMP.
Can anybody verify whether or not this is true?
Here is the config for the interfaces on the 3725's that I want to disable
ICMP redirects:
interface FastEthernet0/0
description MB0GCR-IS-01-0/0
ip address 10.10.180.2 255.255.252.0
ip helper-address 10.10.9.90
ip wccp redirect exclude in
ip wccp web-cache redirect out
duplex auto
speed auto
vrrp 1 ip 10.10.180.1
vrrp 1 priority 200
End
Thanks,
Rik
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:20 GMT-3