Cisco WAN :: 2811 - WCCP Transparent Proxy Over DMVPN
Nov 20, 2010
I´m trying to config a wccp web-proxy in a ISR 2811 at branch network. I have an Iron Port at Head-Quarter.
The idea is that the users at branch network, transparently forward http traffic to Iron Port at Central-Office and from them go to Internet.
The communication between sites is over DMVPN. I have two GRE tunnels running OSPF.
The Iron Port is configured as wccp v2 transparent redirection with forwarding method L2 or GRE an retunr method as L2 or GRE.
I receive packets on the branch router "Here I Am" but it get a message on debug:
Nov 21 19:26:07.067 GMT-2: WCCP-EVNT:D10: Here_I_Am packet from 172.16.10.10 w/bad fwd method L2, received indirectly via Tunnel1Nov 21 19:26:07.067 GMT-2: WCCP-EVNT:D10: Here_I_Am packet from 172.16.10.10 with incompatible capabilites
Nov 21 19:46:07.035 GMT-2: WCCP-PKT:D10: Sending I_See_You packet to 172.16.10.10 w/ rcv_id 0000004F
View 1 Replies
ADVERTISEMENT
May 28, 2012
I would like to connect devices to my network so that their traffic passes through a proxy running on my computer. I figured the best way to do this is by setting the proxy on my router to the one I am running, but then I would need to have another connection to the computer running the proxy or else there would be an infinite loop ?? something like that. so:
Internet -> router (1) -> my proxy on comp A -> router (2) -> computer B
View 1 Replies
View Related
May 19, 2012
I have been tasked to setup a Transparent Squid proxy and do redirection on a Cisco 6513 Switch.I don't have access to the SQUID but think that my config below should be OK. We have setup a TEST user Vlan 13 . Any traffic from this destined for the we on 80 or 443 should be redirected. Vlan 10 is where the Squid proxy is sitting. [code]
View 3 Replies
View Related
Apr 21, 2012
recently i have install asa 5520 (8.2) in my networks.Earlier I was using my transparent proxy with 2821 by the following configuration access-list 120 deny ip host 192.168.112.12 anyaccess-list 120 permit tcp any any eq wwwaccess-list 120 deny ip any any route-map PROXY-REDIRECT permit 10match ip address 120set ip next-hop 192.168.112.12 ip policy route-map PROXY-REDIRECT and was working fine. How i can use my transparent proxy with ASA?
View 2 Replies
View Related
Nov 15, 2011
I configured a 2811 series router for dmvpn. My two tunnels are up but one of the tunnel is flapping with this message.
View 4 Replies
View Related
Aug 30, 2011
setting up IPsec for a DMVPN between a 2811 and 2951s in a test lab. I have enabled IPsec on the hub (2811) but I am unable to do so on either of the 2951s. After researching, it seems that I may have the incorrect IOS for this, but I am at a loss which IOS I should be using. Currently the 2951s are on "c2951-universalk9-mz.SPA.151-2.T2.bin" and the only crypto options are(config)#crypto ?
ca Certification authority
key Long term key operations
pki Public Key components
while on the 2811 I get:
WIN-T(config)#crypto ?
ca Certification authority
call Configure Crypto Call Admission Control
ctcp Configure cTCP encapsulation
dynamic-map Specify a dynamic crypto map template
engine Enter a crypto engine configurable menu
gdoi Configure GDOI policy
[code]...
These are all hand me downs?
View 2 Replies
View Related
May 15, 2013
We are facing network heavy and slow performance at one of our remote site, we are using Cisco2800 series router with same IOS on either of the sites.Our WAN network is running on BGP with EIGRP configured and tunnels were configured on either of the sites. As part of the testing I have removed the tunnel to see the performance was ok from Head office to remote branch and the WAN network is getting heavy and slow down when we put the tunnel back in hub and spoke.
quick info
Cisco 2800 Series router
IOS: (C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE
View 1 Replies
View Related
Feb 8, 2011
We have about 200 spokes (2811 routers), each one connected to two hubs(7206VXR with NPE-G2) via a separate DMVPN. DMVPN is over MPLS cloud provided by the local operator. On the hubs we get very frequently these type of messages
.Feb 9 16:00:10.402: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 10.X.X.X (Tunnel3) is down: Interface Goodbye received.Feb 9 16:00:11.658: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 10.X.X.X (Tunnel3) is up: new adjacency
On the spoke
Feb 9 13:36:48: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 10.X.X.X (Tunnel0) is down: holding time expiredFeb 9 13:36:51: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 10.X.X.X (Tunnel0) is up: new adjacency
I think the default eigrp hello and holding timers (5,15) are not suitable since these are wan links.
View 1 Replies
View Related
Sep 4, 2012
I am working on a task of redirecting any unmatched http traffic to Symantec public transparent proxy through Cisco ASA. For the definition of uncatched http traffic, we have inbound squid servers for deploying IE proxy pac and redirect the http traffic to Symantec public transpraent proxy, however we can't deploy IE proxy pac to mobile device and non-support web browers.Since we have some application using IE proxy setting for direct http communication with external domains, the current symantec policy addes those domains in the exception list so that they are not redirect to Symantec public transparent proxy server.
-For the platform - Cisco ASA 5510 ASA 8.4(4)1
-For the solution, I have the following two nat rules
View 10 Replies
View Related
Mar 31, 2012
I access the internet from my company�s LAN, which has a restrictive firewall, so I cannot request the admin to open any ports manually for me. Hence I use a software called your-freedom. This proxy software supports both http as well as socks 4 and 5 proxy (by entering the proxy IP 127.0.0.1 (localhost) and Port 8080 for http proxy OR 1080 for Socks Proxy), and I have successfully been using web browsers and some other softwares that support proxy/ allow proxy info to be entered to login/ connect to the internet. Your-Freedom also supports port forwarding.However, the softwares I intend to use do not have any options to enter proxy methods or proxy ports (as far as I have noticed). I have tried to proxify these 2 softwares using softwares such as SocksCap and Free Cap, but either they don�t work, or my settings in proxifying are not correct. I believe I will have to do port forwarding or proxify the softwares, but have been unable to do so in the correct manner.
Following is the info on the 2 softwares:
1.NOW Trading terminal:[FONT=Times New Roman]Normally when I start the NOW or Zerodha software, the software starts and I get a login screen, but under firewall conditions, I get the initial Splash screen but then the software stops with the error: [b][u]NOW Initialisation failed for Interactive Engine << os error>>.
2.PowerIndia Bulls:The software is written in Java and starts with a batch file (PowerIndiabulls.bat) located in C:UsersDEFAULT_USERNAMEAppD..... I converted this batch file to .exe (with battoexe software) and then ran it through a proxifying software. The .exe start properly without proxifying software but not under proxifying environment. Basically the software needs to connect to the internet using Port 443. I am also expected to keep ports 443, 41599 and 59598 open. software's requirement is available at Indiabulls Securities: Indiabulls Securities is a leading capital market company offering securities broking and advisory services, depository services, equity research services to its clients in India. (item no. 5).To confirm, while the software is unable to connect through port 443, you will get an error message: "Connection to Login Server could not be established" when you try to login with any random Username and Password.To know that the software is able to connect properly, you will get an error: "This User ID is not enabled to be used with this product".
View 1 Replies
View Related
Jan 8, 2013
Anyone know the differnce between these two on a MLS? Seems that proxy arp as I know it works with or without the 'local' version.
View 7 Replies
View Related
Mar 26, 2011
So Im trying to learn a little bit more about WCCP so I thought I'd load up a centos VM and just install squid on it. With the base config running I can setup an explicit proxy by configuring my IE session to use the squid IP on port 3128. Proxy works fine and I see entries in the access log on the centos box. Now, since Im only running squid on the box Im going to change the listening port to 80 so I can transparent proxy with WCCP on my ASA. So I set the WCCP2 config on squid as shown.
View 10 Replies
View Related
Oct 18, 2011
We have 881 routers and are planning on testing out some WAN optimizing hardware, we're told that our router needs to support PBR and WCCP protocols. Will this router handle it?
View 3 Replies
View Related
Feb 28, 2013
if the Cisco Switches in my enviorment can support WCCP?
View 1 Replies
View Related
May 25, 2012
I need to roll out a Bluecoat as a WCCP for a ASA 5520.
View 3 Replies
View Related
Oct 31, 2012
I'm using a Cisco AG3560 to run my wccp re-direct and have a McAfee for my web gateway. My IP for the web gateway is 10.1.252.19, and my wccp router is 10.1.3.10. For whatever reason the web gateway is able to see the router and the "here i am packets" but I cannot get anything to redirect to it. My wccp config is below.
ip wccp 51 redirect-list 120
!
interface Loopback0
ip address 10.1.254.17 255.255.255.255
[code]...
I have the Web Gatewy setup with process 51 and my router on the WG is 10.1.252.10.
View 1 Replies
View Related
Jul 17, 2011
I currently have WCCP redirection setup on my ASA 5520 to redirect to an ironport on ip address 10.11.1.10. The ASA inside ip is 10.11.1.1 and the ironport is setup for transparent redirection to that IP. This all works well and the Service Identifier i'm using for WCCP is 95.I am now creating another WCCP group because on my ironport I have 4 interfaces so I wanted to use them for our admin network. So I created an ACL on the ASA for our admin traffic and I want to redirect that using Service Identifier 94 to the ip on the ironport of 10.11.1.22. But I can't get traffic to redirect.
View 1 Replies
View Related
Jun 16, 2012
I am trying to setup WCCP on our 4507. For some reason I cannot get this to work! The config I have tried is below. I can't figure out
ip wccp web-cache group-list IRONPORT-GROUPLIST
ip wccp source-interface GigabitEthernet2/24
!
Interface Vlan160
[Code].....
View 2 Replies
View Related
Jul 19, 2011
When the following was issued:
ip wccp 0 redirect-list wccp_acl group-list 10 password 0 ourpassword
Received this error:
MDT: %COMMON_FIB-3-FIBIDBINCONS2: An internal software error occurred. WCCP:0 linked to wrong idb Loopback0 (xyz node name)
When the following was issued 10 minutes later:
ip wccp 70 redirect-list wccp_acl group-list 10 password 0 ourpassword
No error msg (but now wccp was active)WCCP appears to be working but we are ** having problems connecting ** with our websense (7.6) box via GRE.Websense is connected to the 6509 which is connected this 3750 switch.
View 2 Replies
View Related
Jul 20, 2011
I’m currently trying to work out what router we need to do WCCP redirections to some WAN optimizers. We plan that there will 100-200Mbps worth of traffic that needs to be redirected.
We currently have a 7200 with NPE-G2 which already runs at 30% cpu without WCCP redirection. (From shaping and QoS.)
I’m worried that this will not be powerful enough for the redirections.
We would like to upgrade, but I want to do some research beforehand.I have looked everywhere and I cannot find any WCCP performance figures for the devices below.
-7200 with NPE-G2 -ASR1000 -3800 -3750 -6500 I am aware that the catalyst and the ASR can do the redirecting in hardware, so these means there is no real CPU hit until we exhaust the TCM? We plan to use in bound redirection and the redirect ACL is only 20 lines.
View 1 Replies
View Related
Nov 14, 2011
My problem is, it doesn’t seem like packets are making it to the linux/squid caching device, based on cache logs. Workstations that are being redirected in the router have no web browser access (they can ping 8.8.8.8 and google.com)
I have a linux box running squid successfully, which supports GRE WCCP. For the sake of argument, I will say that I am confident I have successfully configured that machine.
What’s really strange is this morning I came in and hind sight my test workstation looked like it may had restarted from an update. (maybe had internet access). The first thing I did was tweak the cisco config, as I was reading last night and saw:
“Be warned that if you are using NAT you MUST use the inbound interface otherwise the router only sees the NATted IP address as the source of your clients. This is bad, because the router is also therefore unable to see your cache engine and it will redirect the cache engine requests back upon itself.”
So I turned <ip cef> on and removed the <ip wccp web-cache redirect out> (I had in fa0/1 and out fa0/0 on overnight).
Then I proceeded to check the workstation and saw it had network access, I tested to see if it was in fact filtered by the proxy, and it was! (verified by cache logs aswell)
After some further successful testing, I made sure I saved any unsaved configuration changes, I rebooted the linux box and the router. Sadly the outcome was not good, I am back to where I was last night.
My router does routing/NAT and has two interfaces and is currently not running CEF
ip wccp web-cache redirect-list SQUID_PROXY
!
interface FastEthernet0/0
description WAN
ip address 1.2.3.4 255.255.255.248
ip nat outside
ip virtual-reassembly max-reassemblies 64
speed 100
full-duplex(code)
View 6 Replies
View Related
Apr 3, 2013
I have the following topology, WCCP is configurated on ASA, inside interface, lan users and websense machine are located on the same VLAN of my catalyst 3750G?I want to filter traffic on port 80 (www) to the users on the LAN side debug on the ASA show me that comunication between that device and Websense is OK, there is Here_I_Am and I_See_You packets
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015B
WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015B
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015C
WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015C
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015D
From show WCCP i saw that WCCP engine and ASA were detected
FW# sh wccp
Global WCCP information:
Router information:
Router Identifier: 200.X.X.X
Protocol Version: 2.0
[code]....
View 5 Replies
View Related
Nov 24, 2011
There use to be Cisco 851 routers, but lately these routers are replaced with Cisco 861-K9 routers, and these 861 routers doesn't support DMVPN, instead 851 use to be.
Is there any license file we can upload in 861 router for DMVPN capability, if yes may i know the SKU # for that. We have some customers having 6-7 locations and they are planning to have 2 more locations, we implement already DMVPN in there network, if we go with the 87X or 88X router there price is almost double the price of 861.
View 1 Replies
View Related
Jul 26, 2012
I'm testing WCCP in a lab environment (Another checkbox on my way to CCIE).The setup- a WS-C3560-8PC switch running IOS 15.0(1), IP Services with crypto.- Two client computers connected by wire to the switch, running Windows 7.- A virtual machine in bridged mode running on one of the machines, running OpenBSD 5.0 with Squid 2.7 installed and running.- Everything in the same subnet: 192.168.163.0/24, the OpenBSD is at .5, the switch at .3 and functions as the default-gateway for the computers with no ICMP redirects (the real gateway is at .1 but the switch forwards everything).Squid seems to work, albeit inefficient, but that's not the issue.illing in the IP of the OpenBSD in the browser as proxy with the proper port works.Since the 3560 does only support WCCP over layer 2 adjacencies and masks, not hash buckets, I've configured these options on both the Squid and the 3560.
View 19 Replies
View Related
May 28, 2012
I'm setting up a config to have WCCP with Blue Coat WAN Optimizer. I have following sinple setup at the moment. Cisco 6500 <----> Firewall. How should my topology should be. Should I have whe WAN-Optimizer in between (in path of switch and firewall on the same VLAN) or have different vlan hanging off the 6500 and have WCCP redirect traffic?
View 2 Replies
View Related
Oct 31, 2012
I am currently trying to enable WCCP between a Cisco ASA 5512 firewall and Barraccuda Webfilter 410 Vx applicance. The ASA firewall is running IOS version 8.6(1)2 and the Barracuda is funning firemware 6.0.0.013. Both the ASA and Barracuda are in the same network and can ping eachother. The ASA has several interfaces, outside, inside, data and dmz. The PCs and barracuda appliance are behind the data interface. ASA data IP 172.16.18.1 Barracuda IP 172.16.18.40 All PCs in the 172.16.18.0/24 subnet use the ASA as the default gateway and should have web requests redirected to the Barracuda.
Below are the respecive bits of my ASA config
interface GigabitEthernet0/0
description Management
speed 1000
[Code].....
I suspect my issue is that the ASA is generating a Router Identifier of 172.21.20.1 which is my inside network and the barracuda cannot communicate with it. how I can get this working ?
View 3 Replies
View Related
Jan 29, 2012
I have a web cache server, and I redirect all the HTTP request to it using WCCP.
Everything works without a problem, however I have a monitoring system that every minute tests the access to some customer sites that are hosted inside our infra-strutcture.
As soon as I configured the WCCP the monitoring system complains of timeouts accessing those sites, about 20% of the requests start to fail (timeout).
I don't think it is the fault of the cache because in the WCCP ACL I exclude all traffic that comes from my monitoring system. However as soon as I turn of WCCP the monitoring system never ever gives timeouts accessing those sites.
Is there anything I should do in WCCP to tweak it? I have WCCP configured in my core gateway that is a CISCO 3750.
View 2 Replies
View Related
Apr 5, 2012
Is there a way to use 2 redirects inbound on vlan 1?
int vlan 1
ip wccp 80 redirect in
ip wccp 81 redirect in
The reason for this is because we need the return traffic from the firewall to come in on group 81 and the source subnet will go out group 80.
View 1 Replies
View Related
Nov 21, 2011
I'm setting up a web cache using the wccp protocol on a Catalyst 3750 stack.
Probably missing something real simple here but when I from the global configuration mode are trying to enter the ip wccp command it just says "invalid input" from wccp. There is no such command.. should be supported on my device from IOS 12.2(37)
View 1 Replies
View Related
Dec 6, 2012
I recently configured WCCP with a Sophos Web Filter on my network it works good but the problem I am having is I have two 5520s so I am directing the device to look at 2 different IP addresses and since the devices are in an Active/Passive failover. The problem is because the second device is in a passive failover it is not responding which is throwing connection errors to my Sophos device. I know you can have a single management connection for the ASA's but is there a way to have a single IP for the ASAs for the WCCP?
View 1 Replies
View Related
Nov 19, 2011
I am getting the following message while trying to configure WCCP redirection on my 7200 router.
I have added this router to the routerlist of the WAE edge device. Ping is successful, but the following problem prevails.
NASCM-MPLS#show ip wccp
Global WCCP information:
Router information:
[Code]....
View 1 Replies
View Related
Feb 27, 2012
I am trying to enable wccp on 6509. Its works fine on port 80 but not with https (443). Also i have noticed when i use the following
ip wccp web-cache redirect in similarly adding to interface HTTP works. but when i use the service no 0 instead of web-cache even the HTTP stops working. wccp v2 is enabled in the switch. Both the source & the Squid server are in same V LAN.
View 9 Replies
View Related
Sep 5, 2012
I have a problem with my routers (cisco 1941)I'm running a DMVPN network (Hub and spoke)All the hubs are connected to the 2 hubs. With 4 tunnels. (each hub has 2 interfaces to the spokes. the spokes only have one interface to the hubs, so I splitted them and so I now have 4 dmvpn tunnels). one of the interfaces on a hub malfuntioned and because of that the customers had problems with logging in and sending packets. I made this kind of structure because of when one of the tunnels failed the spoke could use the 3 others... BUT, what happened here was that the spoke still tried to use all 4 of the tunnels and because of that I had 25% package loss!So this didn't work. Now I read about IP SLA, but I was wondering of this could work? (I cannot test it on spare routers, and I don't want to implement it and risking a total network failure...) and how to configure it. Should I make 4 different sla processes which I should all 4 track? And when I make the ip routes, how should I make or configure it so that 1 of the tunnels/interfaces fails that the spoke would addapt the routes?
View 1 Replies
View Related
