Re: [squid-users] WCCP, Squid, and that darn PIX

From: Joe Cooper <joe@dont-contact.us>
Date: Thu, 14 Jun 2001 13:16:38 -0500

This is a problem with spoofing. Squid does not do IP spoofing, all
return traffic (whether in a transparent configuration or not) comes
back to the Squid IP.

Adam Lang wrote:

> I guess this is an example of why transparent proxying should be avoided.
>
> Adam Lang
> Systems Engineer
> Rutgers Casualty Insurance Company
> http://www.rutgersinsurance.com
> ----- Original Message -----
> From: "Tim Wolfe" <TimW@InfoGroupNW.com>
> To: "'Joe Mailander'" <jmailand@lane.k12.or.us>;
> <squid-users@squid-cache.org>
> Sent: Thursday, June 14, 2001 1:07 PM
> Subject: RE: [squid-users] WCCP, Squid, and that darn PIX
>
>
>
>>It looks to me as if the anti-spoofing features of the PIX are dropping
>>
> the
>
>>session as a spoofed attack. You probably just need to turn off the
>>anti-spoofing stuff on the firewall (or on the interface or for that
>>specific source, depending on how granular the PIX will allow you to be).
>>This is due to the fact that you are running in transparent mode and the
>>cache is forwarding the HTTP response as though the web server (ie
>>www.nasa.gov) is sending the traffic directly to the client..
>>"Cisco says that error comes up when a session starts on one interface,
>>
> but
>
>>continues on another." Which is what is happening when the web server at
>>NASA or wherever sends the return traffic through the outside interface to
>>the "client" IP but of course the traffic is actually returned to the
>>
> Squid
>
>>server and then the Squid server forwards it back to the firewall's dmz
>>interface (on it's way back to the client) and the firewall sees the same
>>incoming traffic (at least according to it's session DB) coming in a
>>different interface and assumes it is spoofing. If Cisco can't tell you
>>
> how
>
>>to disable this feature, just put Squid in front of the firewall (or on
>>
> the
>
>>inside interface, assuming your clients are there, then the fw would never
>>see the squid to client return traffic which should solve the issue... :)
>>
>>Hope this helps..
>>
>>Thanks,
>>
>>--Tim

                                   --
                      Joe Cooper <joe@swelltech.com>
                  Affordable Web Caching Proxy Appliances
                         http://www.swelltech.com
Received on Thu Jun 14 2001 - 12:06:59 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:45 MST