WCCP foibles and follies

From: Guyler, Rik (rguyler@shp-dayton.org)
Date: Wed Sep 14 2005 - 16:10:08 GMT-3

• Next message: Lee Donald: "RE: Load Balancing Across Trunks"
• Previous message: Anthony Sequeira: "Subnet Mask Tricks - or - I Will Show You My Mask If You Show"
• Next in thread: john matijevic: "Re: WCCP foibles and follies"
• Maybe reply: john matijevic: "Re: WCCP foibles and follies"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'm working out a WCCP issue and TAC has been no use whatsoever with this so
I'm asking the Group for assistance. Can WCCP be setup on a router to
redirect both inbound and outbound traffic on the same interface?

Here's my setup:

Internal ==> <VRRP<R1/R2>VRRP>==External==> Content Engine,Websense,3030,
PIX, Router, etc.

My internal private network connects to my external private subnet via a
pair of routers running VRRP. This router pair is running WCCP that
forwards web requests to a Cisco Content Engine that integrates with
Websense. Both the CE and Websense boxes reside in the external subnet as
do the private interfaces for the 3030 Concentrator and the PIX.

Internet traffic from the internal subnets get redirected to the CE and
filtered by Websense just fine. However, traffic from my remote VPN sites
that connect in through the 3030 Concentrator does not. The internal
default gateway on the Concentrator is set to the VRRP address (external) on
the router pair, not the PIX inside interface and a traceroute proves that
remote site traffic is hitting the VRRP pair first then on to the PIX (I did
turn off ip redirects on the router interfaces).

Since the routing is correct, I'm guessing that my WCCP configuration is not
quite right or what I'm trying to do is impossible and I need another router
in place. If somebody can take a look at this and tell me where I'm
screwing up I would be oh so grateful. I've tried to change the WCCP here
and there but I either wind up breaking Internet access entirely or leave it
wide open. I've been staring at this for just too long and it's all
blending together... ;-)

Here is a partial config from one of the VRRP routers:

version 12.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
!
hostname MB0GCR-IR-01
!
logging queue-limit 100
logging buffered 8192 informational
no logging console
enable secret
!
clock timezone eastern -5
clock summer-time eastern recurring
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication login tacdown group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa session-id common
ip subnet-zero
ip rcmd rcp-enable
ip rcmd remote-host cwuser 10.10.15.15 cwuser enable
ip wccp web-cache redirect-list 120
!
ip cef
no ip domain lookup
ip name-server 10.10.2.10
!
ip audit notify log
ip audit po max-events 100
!
no voice hpi capture buffer
no voice hpi capture destination
!
mta receive maximum-recipients 0
!
interface Loopback1
 ip address 10.10.176.33 255.255.255.224
!
interface FastEthernet0/0
 description MB0GCR-IS-01-0/0 <=== Enternal Private Network
 ip address 10.10.180.2 255.255.252.0
 ip helper-address 10.10.9.90
 no ip redirects
 ip wccp redirect exclude in
 ip wccp web-cache redirect out
 duplex auto
 speed auto
 vrrp 1 ip 10.10.180.1
 vrrp 1 priority 200
!
interface FastEthernet1/0 <=== Redundant connection to Internal Private
Network
 description CSW-01-9/3
 ip address 10.10.253.186 255.255.255.252
 ip summary-address eigrp 1 10.10.176.0 255.255.248.0 5
 full-duplex
!
interface FastEthernet2/0 <=== Redundant connection to Internal Private
Network
 description CSW-02-9/3
 ip address 10.10.253.194 255.255.255.252
 ip summary-address eigrp 1 10.10.176.0 255.255.248.0 5
 full-duplex
!
router eigrp 1
 redistribute static metric 100000 100 255 255 1500 route-map MRHVPN
 passive-interface FastEthernet0/1
 network 10.0.0.0
 no auto-summary
!
no ip http server
no ip http secure-server
ip classless
ip tacacs source-interface Loopback1
!
access-list 120 deny tcp host 10.10.17.38 any
access-list 120 deny tcp host 10.10.17.39 any
access-list 120 deny tcp 10.10.44.240 0.0.0.7 any
access-list 120 deny tcp 10.16.231.92 0.0.0.1 any
access-list 120 deny tcp 10.10.14.64 0.0.0.63 any
access-list 120 deny tcp host 10.20.49.35 any
access-list 120 deny tcp any 10.10.180.0 0.0.3.255
access-list 120 deny ip host 10.10.180.24 any
access-list 120 deny tcp host 10.10.117.63 any
access-list 120 permit ip any any

Thanks in advance!

Rik

• Next message: Lee Donald: "RE: Load Balancing Across Trunks"
• Previous message: Anthony Sequeira: "Subnet Mask Tricks - or - I Will Show You My Mask If You Show"
• Next in thread: john matijevic: "Re: WCCP foibles and follies"
• Maybe reply: john matijevic: "Re: WCCP foibles and follies"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3