O   R o u r k e s . u s
   h o m e   |   n e w s   |   p h o t o s   |   w e b m a i l   |   r e s u m e s   |   b l o g   |   T w i t t e r

Computer/Network tips, tricks and other stuff I always forget

WCCP Across a Firewall

December 3rd, 2008 Posted in Cisco, Firewalls, Networking

I hate WCCP.  There seems to be little good information and any docs I do find from Cisco or proxy vendors all seem to leave it at the magic phase of how things just seem to work.  I have been working with another guy on trying to get an IOS router to forward HTTP requests to a Bluecoat proxy across a stateful firewall.  We were attempting to get a transparent proxy working so users did not have to have a hard coded proxy but with the firewall between the users and the proxy, nothing seemed to work.  L2 forwarding was not an option because we would be bridging our firewall so we needed a GRE encapsulation to get the requests to the proxy.

After working with both vendors, we were able to determine that the router was forwarding the requests to the proxy with GRE encapsulation and the firewall was allowing the GRE traffic to traverse the firewall with ACL’s. The proxy was spoofing the IP address of the remote server but did not GRE encapsulate the traffic. The firewall denied that traffic because the packed is a SYN ACK and there was no corresponding SYN recorded. The original SYN packet was in a GRE tunnel.

The fix that we came up with was to ignore the TCP state for the web traffic. Using MPF, we were able to uniquely identify the traffic that we wanted to ignore state. This service policy gets applied on the DMZ interface where the proxy lives which means my outside interface to the Internet is not a risk and still stateful.  Below is a rough outline of what we needed to do to get this to work.  It is not the final secured version, so tweak for your environment, but we did get WCCP to work across our firewall.  The last question that I have is should the Bluecoats encapsulated the response in a GRE tunnel?  If so, then we would not have to perform the extra steps and the magic would have just happened.


access-list proxy-bypass extended permit ip any 10.0.0.0 255.0.0.0
!
class-map proxy-bypass
match access-list proxy-bypass
!
policy-map proxy-bypass
class proxy-bypass
set connection advanced-options tcp-state-bypass
!
service-policy proxy-bypass interface DMZ
!
access-list DMZ-ACL extended permit ip any 10.0.0.0 255.0.0.0
access-group in interface DMZ-ACL
! need a ACE entry to allow the traffic into the firewall after ignoring state

  1. 3 Responses to “WCCP Across a Firewall”

  2. By Neil on Dec 7, 2008

    Keith

    Man, that GRE tunnel is a busy place. I hope the original SYN packet and the Bluecoats dont run into each other in there!!!

    Neil

  3. By Computer Geek on Mar 7, 2010

    I have access to online computer geeks that run 24/7 and thank goodness because I don’t follow any of that!

  4. By computer repair westchester ny on Mar 29, 2010

    Thanks for sharing this.I really find interesting the posts in your blog.

Post a Comment