RES: [squid-users] wccp transparent proxy; returned spoofed packets are dropped!

From: Bruno Lopes de Souza Benchimol <brunobenchimol@dont-contact.us>
Date: Tue, 25 Dec 2007 11:54:08 -0300

You probably can try to disable the unicast RPF feature on the ASA, i know
how to it works on Routers but its probably pretty similar to the ASA Series
(i also do not have one for testing... i wish i could), altough thats not
the Best method because it Will fully disable uRPF verification.

For disable uRPF you need to:

* must have ip cef avaliable.
ASA(conf)# ip cef

*disable the uRPF on the desired interface:
ASA(conf)# no ip verify unicast reverse-path

For enhanced security you should allow only the "needed" spoofed packets to
flow thru it... to make it properly Just set up an ACL allowing it and add
it to the command:
ASA(conf)# ip verify unicast reverse-path ACL

I also dont really know if its goin to solve your problem because i missed
your initial post and couldnt find it on the list anymore... you can also
gather more information about RPF on:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
ur_c/fothersf/scfrpf.htm#wp1003369

Tell me how that worked out for you.

Best regards,
 Bruno Benchimol

-----Mensagem original-----
De: Daniel Rose [mailto:drose@nla.gov.au]
Enviada em: domingo, 23 de dezembro de 2007 18:42
Para: Tony Dodd
Cc: Adrian Chadd; squid-users@squid-cache.org
Assunto: Re: [squid-users] wccp transparent proxy; returned spoofed packets
are dropped!

Tony Dodd wrote:
> Adrian Chadd wrote:
>> Didn't someone point out a few weeks ago that Cisco only support wccp
>> redirection on
>> the same interface as clients?
>>
>> the ASA is probably (quite rightly, its a firewall!) dropping the
>> packets coming in
>> from the DMZ as they're spoofed from another interface it knows about.
>>
>> You may be short of luck; you may have to put the proxy on INSIDE. See
>> if that works.
>> I'd offer better advice but I don't have an ASA to actually do testing
>> on..
>
> Actually, it depends on the firewall configuration mode... if it's in
> transparent mode, you're s.o.l, as the max number of interfaces == 3
> (including the management interface). If it's in routed mode, you stand
> a better chance, and can enable communication between the interfaces.
> The logging buffer will reveal all though.
>
>

Well it's in routed mode; I have 4 interfaces, but I left one out of the
original post for clarity.

The logged event is "Deny TCP (No Connection) from spoofed-ip/80 to
client-ip/2241 flags SYN ACK"

My problem now is that my cisco-fu is weak, and the ASDM GUI offers no
option to permit spoofed ack packets; at least, I couldn't find one.

I posted the same question to a cisco 'self-study' group but the responses
were not helpful.

I think I'll have to put the squid on the inside interface instead of the
DMZ, which is a shame. If anyone does know how to persuade the cisco gear
to allow the spoofed packets back through I'd be grateful; "allow ip any
any" doesn't work. I will push google a bit harder before I give up though.

-- 
Daniel Rose
National Library of Australia
Received on Tue Dec 25 2007 - 07:54:13 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:02 MST