WCCP and PIX

Discussion in 'Cisco' started by Patrick, Dec 29, 2003.

  1. Patrick

    Patrick Guest

    Hello,

    Can someone answer the following question:

    Is it possible to use the PIX to redirect packets to a transparent
    proxy? This is possible on an IOS router with WCCP, but I haven't
    found the possibility to configure this on a PIX.

    I know it is not possible to send traffic out the same interface, but
    since the proxy is in the same network, I was hoping there might be a
    possibility to do this.

    Thanks in advance.


    With kind regards,

    Ikke Mij
     
    Patrick, Dec 29, 2003
    #1
    1. Advertising

  2. Patrick

    Hugo Drax Guest

    "Patrick" <> wrote in message
    news:...
    > Hello,
    >
    > Can someone answer the following question:
    >
    > Is it possible to use the PIX to redirect packets to a transparent
    > proxy? This is possible on an IOS router with WCCP, but I haven't
    > found the possibility to configure this on a PIX.
    >
    > I know it is not possible to send traffic out the same interface, but
    > since the proxy is in the same network, I was hoping there might be a
    > possibility to do this.
    >


    No, Definately no WCCP support in the pix, It would be a nice thing to see
    in the future and I do not see any WCCP support appearing 2004 either. It
    would be nice to see WCCP appear in the PIX for sites who do not need a
    router :)
     
    Hugo Drax, Dec 29, 2003
    #2
    1. Advertising

  3. In article <bspvlc$80va$-berlin.de>,
    Hugo Drax <> wrote:

    :"Patrick" <> wrote in message
    :news:...
    :> Is it possible to use the PIX to redirect packets to a transparent
    :> proxy? This is possible on an IOS router with WCCP, but I haven't
    :> found the possibility to configure this on a PIX.

    :> I know it is not possible to send traffic out the same interface, but
    :> since the proxy is in the same network, I was hoping there might be a
    :> possibility to do this.

    :No, Definately no WCCP support in the pix,

    Adding to Hugo's answer:

    You say "since the proxy is on the same network, I was hoping there
    might be a possibility", but that's just it: the inability to send on
    the same network is fundamental, so the fact that the proxy is on the
    same network would render it impossible for the current PIX design.

    In 6.3(3), if your proxy were on a -different- interface, you
    could get closer, by using policy nat in conjunction with
    outside nat: you could do something like:

    access-list outgoing-http permit tcp INSIDE-NET INSIDE-NETMASK any eq http
    static (outside, inside) PROXY-IP access-list outgoing-http

    (You might have to reverse the order in the access-list.)

    However, you can't use policy nat to force traffic into a different
    interface because routing is done before NAT, so you could at best
    use this method if your proxy were on the same interface as the
    traffic would have gone to without the static.

    I am also concerned about the clause in
    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#1026694
    that says, in the description of the access-list parameter:

    The subnet mask used in the access-list is also used for the
    global_ip.

    Urrr, *which* subnet mask in the access-list? Since I'm matching
    a global destination, 'any', does that mean that it would attempt
    to use a 0.0.0.0 netmask for PROXY-IP ?? (Grrr, I need that testbed
    PIX!)
    --
    "Infinity is like a stuffed walrus I can hold in the palm of my hand.
    Don't do anything with infinity you wouldn't do with a stuffed walrus."
    -- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ.
     
    Walter Roberson, Dec 29, 2003
    #3
  4. Patrick

    Rik Bain Guest

    On Mon, 29 Dec 2003 14:56:50 -0600, Walter Roberson wrote:

    > In article <bspvlc$80va$-berlin.de>, Hugo Drax
    > <> wrote:
    >
    > :"Patrick" <> wrote in message
    > :news:... :> Is it
    > possible to use the PIX to redirect packets to a transparent :> proxy?
    > This is possible on an IOS router with WCCP, but I haven't :> found the
    > possibility to configure this on a PIX.
    >
    > :> I know it is not possible to send traffic out the same interface, but
    > :> since the proxy is in the same network, I was hoping there might be a
    > :> possibility to do this.
    >
    > :No, Definately no WCCP support in the pix,
    >
    > Adding to Hugo's answer:
    >
    > You say "since the proxy is on the same network, I was hoping there
    > might be a possibility", but that's just it: the inability to send on
    > the same network is fundamental, so the fact that the proxy is on the
    > same network would render it impossible for the current PIX design.
    >


    To add further. When using WCCP the CE is fine on the same subnet as the
    client, as the WCCP router will make the request on the clients behalf and
    the CE will respond directly to the client. If the CE was on the DMZ for
    example, the pix would deny the response as the CE spoofs the reply and
    the pix will have no existing connection for it. So in a WCCP
    environment, the CE is good on the client subnet, or whatever subnet the
    WCCP router is on.

    Rik
     
    Rik Bain, Dec 29, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. news.tm.net.my
    Replies:
    0
    Views:
    605
    news.tm.net.my
    Jul 17, 2003
  2. Azani
    Replies:
    4
    Views:
    6,291
  3. Jason

    12.3(8)T and WCCP ??

    Jason, Jun 18, 2004, in forum: Cisco
    Replies:
    2
    Views:
    793
    Jason
    Jun 19, 2004
  4. Replies:
    1
    Views:
    3,141
    Walter Roberson
    Oct 13, 2006
  5. Ambassador Kosh
    Replies:
    1
    Views:
    2,607
    Ruairi Carroll
    Sep 2, 2009
Loading...

Share This Page