[squid-users] Problem with Interception Caching/Proxying

From: Tony Spencer <[email protected]>
Date: Wed, 22 Feb 2006 09:40:52 -0000

Hi

Below is a diagram of part of our network.
We have an L2TP tunnel that gets terminated on our Cisco 7200 for DSL users.
The tunnel comes from our Upstream provider and once terminated we do the
Radius authentication and then redirect all port 80 traffic to our Squid
server.
However the Squid part doesn't seem to be working correctly, although I can
see the request come into Squid by watching the Squid access log, the end
user never gets the web page he requested, unless that web site is on the
10.0.0.x network.

I followed the examples on the Squid site to do the redirection of port 80
traffic, the Cisco has an access list and a route map to redirect port 80 to
the Squid server, the Squid server then forwards port 80 traffic to port
3128. I've even run Squid on port 80 so requests go directly to the Squid
port from the Cisco 7200.

If I configure my web browser on my PC to use the Squid server as a proxy I
can browse web sites fine, however this is when I'm not coming via the
tunnel on the router, just purely over the Internet.

                10.0.0.1 (gw on upstream)
                        |
                        |
                              | 10.0.0.4
                -------------------- -------------
                | cisco 2900 switch |--------| Radius |
                --------------------- -------------
                | |
       10.0.0.2 | |10.0.0.3
           ------------ -----------
           |Cisco 7200 | | sQUID |
           ------------- ------------

The Relevant parts of the Cisco config looks like this:

###########
interface FastEthernet3/0
 ip address 10.0.0.2 255.255.255.0
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 duplex full

interface Virtual-Template1
 ip unnumbered FastEthernet3/0
 ip mroute-cache
 ip policy route-map proxy-redirect
 no logging event link-status
 timeout absolute 4320 0
 peer default ip address pool IP-POOL
 no keepalive
 ppp authentication chap pap callin
 ppp multilink

access-list 110 deny tcp host 10.0.0.3 any
access-list 110 permit tcp any any eq www
access-list 110 deny tcp any any
!
route-map proxy-redirect permit 10
 match ip address 110
 set ip next-hop 10.0.0.3

##########

And the Squid server uses the following iptables rule to forward the web
traffic to port 80.

#######
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to
port 3128
#######

It seems that although the Cisco is redirecting port 80 to the Squid server
and the server then forwards the requests to port 3128 and I can see the
requests come in, either the Squid server can't retrieve the website from
the outside world or can't return the site back to the end user.

If I take the route map off the Cisco 7200 and just all traffic through end
users can browse web sites ok.
But as soon as I redirect them to Squid it all goes wrong.

The Cisco 7200 is running IOS 12.3
The Squid server is a Centos 4.2 running squid-2.5.STABLE6-3.4E.11.

I can only think it's a config problem?
If anyone can help I would appreciate it.

Thanks
Tony

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.12/266 - Release Date: 21/02/2006
 
Received on Wed Feb 22 2006 - 02:41:05 MST

This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST