From: john matijevic (john.matijevic@gmail.com)
Date: Wed Sep 14 2005 - 17:14:27 GMT-3
Hello Rik,
I would try redirecting on different interfaces, to see if the issue is on
the same interface, otherwise Cisco TAC should be able to reproduce your
issue.
Sincerely,
John
On 9/14/05, Guyler, Rik <rguyler@shp-dayton.org> wrote:
>
> I'm working out a WCCP issue and TAC has been no use whatsoever with this
> so
> I'm asking the Group for assistance. Can WCCP be setup on a router to
> redirect both inbound and outbound traffic on the same interface?
>
> Here's my setup:
>
> Internal ==> <VRRP<R1/R2>VRRP>==External==> Content Engine,Websense,3030,
> PIX, Router, etc.
>
> My internal private network connects to my external private subnet via a
> pair of routers running VRRP. This router pair is running WCCP that
> forwards web requests to a Cisco Content Engine that integrates with
> Websense. Both the CE and Websense boxes reside in the external subnet as
> do the private interfaces for the 3030 Concentrator and the PIX.
>
> Internet traffic from the internal subnets get redirected to the CE and
> filtered by Websense just fine. However, traffic from my remote VPN sites
> that connect in through the 3030 Concentrator does not. The internal
> default gateway on the Concentrator is set to the VRRP address (external)
> on
> the router pair, not the PIX inside interface and a traceroute proves that
> remote site traffic is hitting the VRRP pair first then on to the PIX (I
> did
> turn off ip redirects on the router interfaces).
>
> Since the routing is correct, I'm guessing that my WCCP configuration is
> not
> quite right or what I'm trying to do is impossible and I need another
> router
> in place. If somebody can take a look at this and tell me where I'm
> screwing up I would be oh so grateful. I've tried to change the WCCP here
> and there but I either wind up breaking Internet access entirely or leave
> it
> wide open. I've been staring at this for just too long and it's all
> blending together... ;-)
>
> Here is a partial config from one of the VRRP routers:
>
> version 12.2
> no service pad
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> service compress-config
> !
> hostname MB0GCR-IR-01
> !
> logging queue-limit 100
> logging buffered 8192 informational
> no logging console
> enable secret
> !
> clock timezone eastern -5
> clock summer-time eastern recurring
> aaa new-model
> !
> aaa authentication login default group tacacs+ local
> aaa authentication login tacdown group tacacs+ local
> aaa authorization exec default group tacacs+ local
> aaa accounting exec default start-stop group tacacs+
> aaa session-id common
> ip subnet-zero
> ip rcmd rcp-enable
> ip rcmd remote-host cwuser 10.10.15.15 <http://10.10.15.15> cwuser enable
> ip wccp web-cache redirect-list 120
> !
> ip cef
> no ip domain lookup
> ip name-server 10.10.2.10 <http://10.10.2.10>
> !
> ip audit notify log
> ip audit po max-events 100
> !
> no voice hpi capture buffer
> no voice hpi capture destination
> !
> mta receive maximum-recipients 0
> !
> interface Loopback1
> ip address 10.10.176.33 <http://10.10.176.33>
255.255.255.224<http://255.255.255.224>
> !
> interface FastEthernet0/0
> description MB0GCR-IS-01-0/0 <=== Enternal Private Network
> ip address 10.10.180.2 <http://10.10.180.2>
255.255.252.0<http://255.255.252.0>
> ip helper-address 10.10.9.90 <http://10.10.9.90>
> no ip redirects
> ip wccp redirect exclude in
> ip wccp web-cache redirect out
> duplex auto
> speed auto
> vrrp 1 ip 10.10.180.1 <http://10.10.180.1>
> vrrp 1 priority 200
> !
> interface FastEthernet1/0 <=== Redundant connection to Internal Private
> Network
> description CSW-01-9/3
> ip address 10.10.253.186 <http://10.10.253.186>
255.255.255.252<http://255.255.255.252>
> ip summary-address eigrp 1 10.10.176.0 <http://10.10.176.0>
255.255.248.0<http://255.255.248.0>5
> full-duplex
> !
> interface FastEthernet2/0 <=== Redundant connection to Internal Private
> Network
> description CSW-02-9/3
> ip address 10.10.253.194 <http://10.10.253.194>
255.255.255.252<http://255.255.255.252>
> ip summary-address eigrp 1 10.10.176.0 <http://10.10.176.0>
255.255.248.0<http://255.255.248.0>5
> full-duplex
> !
> router eigrp 1
> redistribute static metric 100000 100 255 255 1500 route-map MRHVPN
> passive-interface FastEthernet0/1
> network 10.0.0.0 <http://10.0.0.0>
> no auto-summary
> !
> no ip http server
> no ip http secure-server
> ip classless
> ip tacacs source-interface Loopback1
> !
> access-list 120 deny tcp host 10.10.17.38 <http://10.10.17.38> any
> access-list 120 deny tcp host 10.10.17.39 <http://10.10.17.39> any
> access-list 120 deny tcp 10.10.44.240 <http://10.10.44.240>
0.0.0.7<http://0.0.0.7>any
> access-list 120 deny tcp 10.16.231.92 <http://10.16.231.92>
0.0.0.1<http://0.0.0.1>any
> access-list 120 deny tcp 10.10.14.64 <http://10.10.14.64>
0.0.0.63<http://0.0.0.63>any
> access-list 120 deny tcp host 10.20.49.35 <http://10.20.49.35> any
> access-list 120 deny tcp any 10.10.180.0 <http://10.10.180.0>
0.0.3.255<http://0.0.3.255>
> access-list 120 deny ip host 10.10.180.24 <http://10.10.180.24> any
> access-list 120 deny tcp host 10.10.117.63 <http://10.10.117.63> any
> access-list 120 permit ip any any
>
>
> Thanks in advance!
>
> Rik
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- John Matijevic, CCIE #13254 U.S. Installation Group Senior Network Engineer 954-969-7160 ext. 1147 (office) 305-321-6232 (cell)
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3