网络工程 - https 服务组 70 的 ASA/WCCP 问题 - 吾爱随笔录

让我的 asa 与我的鱿鱼盒交谈时遇到问题。HTTP 工作正常，而不是 https。

我不想做 ssl 碰撞或任何类似的事情。只需记录 CONNECT 消息。

ASA 5520。

显示wccp

Global WCCP information:
Router information:
    Router Identifier:                   192.168.200.73
    Protocol Version:                    2.0

Service Identifier: web-cache
    Number of Cache Engines:             1
    Number of routers:                   1
    Total Packets Redirected:            2589
    Redirect access-list:                wccp-traffic-http
    Total Connections Denied Redirect:   0
    Total Packets Unassigned:            1
    Group access-list:                   wccp-servers
    Total Messages Denied to Group:      0
    Total Authentication failures:       0
    Total Bypassed Packets Received:     0

Service Identifier: 70
    Number of Cache Engines:             0
    Number of routers:                   0
    Total Packets Redirected:            0
    Redirect access-list:                wccp-traffic-https
    Total Connections Denied Redirect:   0
    Total Packets Unassigned:            0
    Group access-list:                   wccp-servers
    Total Messages Denied to Group:      0
    Total Authentication failures:       0
    Total Bypassed Packets Received:     0

就好像根本没看到一样。

显示运行 | 公司

access-list wccp-traffic-https extended deny ip host 192.168.201.248 any 
access-list wccp-traffic-https extended permit tcp object-group PROXY_USERS any eq https 
access-list wccp-servers extended permit ip host 192.168.201.248 any 
access-list wccp-traffic-http extended deny ip host 192.168.201.248 any 
access-list wccp-traffic-http extended permit tcp object-group PROXY_USERS any eq www 
wccp web-cache redirect-list wccp-traffic-http group-list wccp-servers password *****
wccp 70 redirect-list wccp-traffic-https group-list wccp-servers password *****
wccp interface inside web-cache redirect in
wccp interface inside 70 redirect in

调试信息：

LNP-ASA5520#  debug wccp subblocks 
LNP-ASA5520# debug wccp packets
LNP-ASA5520# debug wccp events
LNP-ASA5520# 
WCCP-PKT:S00: Received valid Here_I_Am packet from 192.168.201.248 w/rcv_id 00000059

WCCP-PKT:S00: Sending I_See_You packet to 192.168.201.248 w/ rcv_id 0000005A

WCCP-PKT:S00: Received valid Here_I_Am packet from 192.168.201.248 w/rcv_id 0000005A

WCCP-PKT:S00: Sending I_See_You packet to 192.168.201.248 w/ rcv_id 0000005B

我不确定为什么它不能通过服务组 70 连接。我在任何地方都看不到错误。

在鱿鱼方面：

gre 隧道已启动：

wccp0     Link encap:UNSPEC  HWaddr C0-A8-C9-F8-30-30-3A-30-00-00-00-00-00-00-00-00  
      inet6 addr: fe80::5efe:c0a8:c9f8/64 Scope:Link
      UP POINTOPOINT RUNNING NOARP  MTU:1476  Metric:1
      RX packets:36748 errors:0 dropped:0 overruns:0 frame:0
      TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0 
      RX bytes:4317057 (4.1 MiB)  TX bytes:1080 (1.0 KiB)

预路由没问题。

    Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:192.168.201.248:3128
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:192.168.201.248:3128

squid.conf 以防万一。

    #Access Lists
#acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl internal src 192.168.200.0/21
acl wireless src 192.168.100.0/31

#Ports allowed through Squid
acl Safe_ports port 80 #http
acl Safe_ports port 443 #https
acl SSL_ports port 443
acl SSL method CONNECT
acl CONNECT method CONNECT

#allow/deny
http_access allow localhost
http_access allow internal
http_access allow wireless
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

#nameservers
dns_nameservers 192.168.201.1 8.8.8.8
#WCCPv2 items
http_port 3128 intercept
wccp_version 2
wccp2_router 192.168.200.73
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0 password=XXXXXXXXXX