I guess this is an example of why transparent proxying should be avoided.
Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Tim Wolfe" <TimW@InfoGroupNW.com>
To: "'Joe Mailander'" <jmailand@lane.k12.or.us>;
<squid-users@squid-cache.org>
Sent: Thursday, June 14, 2001 1:07 PM
Subject: RE: [squid-users] WCCP, Squid, and that darn PIX
> It looks to me as if the anti-spoofing features of the PIX are dropping
the
> session as a spoofed attack. You probably just need to turn off the
> anti-spoofing stuff on the firewall (or on the interface or for that
> specific source, depending on how granular the PIX will allow you to be).
> This is due to the fact that you are running in transparent mode and the
> cache is forwarding the HTTP response as though the web server (ie
> www.nasa.gov) is sending the traffic directly to the client..
> "Cisco says that error comes up when a session starts on one interface,
but
> continues on another." Which is what is happening when the web server at
> NASA or wherever sends the return traffic through the outside interface to
> the "client" IP but of course the traffic is actually returned to the
Squid
> server and then the Squid server forwards it back to the firewall's dmz
> interface (on it's way back to the client) and the firewall sees the same
> incoming traffic (at least according to it's session DB) coming in a
> different interface and assumes it is spoofing. If Cisco can't tell you
how
> to disable this feature, just put Squid in front of the firewall (or on
the
> inside interface, assuming your clients are there, then the fw would never
> see the squid to client return traffic which should solve the issue... :)
>
> Hope this helps..
>
> Thanks,
>
> --Tim
Received on Thu Jun 14 2001 - 11:37:26 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:45 MST