Re: FW: Proxy

Qingli,

Did u mean PBR for the returning traffic?
I am confused..traffic is coming from the inside (static route from router
to FWSM). Traffic leaves through the OUTSIDE interface using PAT then the
router intercepts HTTP using WCCP and redirect them to cache through CACHE
interface. Now what happens to the return traffic?

Ali

On Tue, Apr 7, 2009 at 12:09 AM, Gao, Qingli <Qingli.Gao_at_sig.com> wrote:

> Agree with Robclav.
>
> Ali you can create a PBR.
> Match all the src-port 80 TCP traffic (Assume you have http only)
>
> Next hop set to Cache zone's interface.
>
> Thanks,
> Qingli Gao CCIE# 17220
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> robclav_at_gmail.com
> Sent: Monday, April 06, 2009 1:33 PM
> To: Ali El Moussaoui; Cisco certification
> Subject: Re: Proxy
>
> Hi Ali,
> You are facing a asimetric path traffic issue. In other words, who is
> compliant is your outside zone(named internet at log). If you apply a nat
> procces from inside to cache zone in order to ensure traffic must flow back
> from outside to cache and then from cache to inside. Otherwise, like in your
> lab, inside traffic is going first to cache zone and then to outside but
> because you are using public ipv4 addresses then the flow back is going
> directly from outside to inside, then the fw has not this session at
> inside-outside session table so is a dropped session.
> Hope this help you,
> Robclav
>
>
>
> BlackBerry de movistar, allm donde estis esta tu oficin@
>
> -----Original Message-----
> From: Ali El Moussaoui <mousawi.ali_at_gmail.com>
>
> Date: Mon, 6 Apr 2009 15:39:40
> To: Cisco certification<ccielab_at_groupstudy.com>
> Subject: Proxy
>
>
> Hello Guys,
>
> I have 3 security zones on fwsm Inside,Outside and Cache. I am using WCCP
> to
> redirect traffic going out to the proxy. i see the following in the FWSM
> logs
>
> Apr 06 2009 15:20:45 INTERNET : %FWSM-6-106015: Deny TCP (no connection)
> from 209.170.115.83/80 to 91.151.230.3/4780 flags RST on interface CACHE
> Apr 06 2009 15:20:45 INTERNET : %FWSM-6-106015: Deny TCP (no connection)
> from 84.53.182.160/80 to 91.151.238.34/49126 flags RST on interface CACHE
>
> My analysis is that connection are created from inside and then redirected
> to Cache. FWSM will not recognize the session when it comes back to Cache
> since it was creade from inside. What do u think ? how can i get over this
> ?
>
> Ali
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
> IMPORTANT: The information contained in this email and/or its attachments
> is confidential. If you are not the intended recipient, please notify the
> sender immediately by reply and immediately delete this message and all its
> attachments. Any review, use, reproduction, disclosure or dissemination of
> this message or any attachment by an unintended recipient is strictly
> prohibited. Neither this message nor any attachment is intended as or should
> be construed as an offer, solicitation or recommendation to buy or sell any
> security or other financial instrument. Neither the sender, his or her
> employer nor any of their respective affiliates makes any warranties as to
> the completeness or accuracy of any of the information contained herein or
> that this message or any of its attachments is free of viruses.

Blogs and organic groups at http://www.ccie.net
Received on Tue Apr 07 2009 - 13:26:36 ART