HTTP Transparent Proxy using a Cisco ASA firewall and a Squid proxy server Part One
Scenario
Here’s the story, and the picture for that matter. You have an imaginary University that wants to ensure that all Internet traffic is filtered. To do so, they use group policies – God bless Active Directory - to configure the desktops and laptops on their campus and, quite correctly, block all outbound web traffic, unless it is destined for the external proxy server (in this case at ja.net), at the firewall interface. This is, however, the 21st century and a whole host of other devices need to be allowed access to the Internet and these devices are outside the control of the College. To add insult to security concerns, this imaginary University is under strategic pressure to allow unfettered wireless access to all and sundry.
There was, of course, the option to simply buy a web filtering license for the ASA firewall but that would have introduced additional challenges such as handling uncontrolled rage from those who control the budget. A more cost effective solution was therefore necessary.
Solution
The solution therefore was to use WCCP (Web Cache Control Protocol) on the Cisco ASA to redirect the outbound web traffic to a pair of Squid proxy servers running on a virtual Linux platform. These Squid servers would then redirect all web traffic to the upstream proxy servers where filtering would be duly applied.
Limitations
As the solution is effectively transparent, there is no way to enforce any kind of authentication so, if tracking down who did what and when is important to you then this is not the solution for you. If you are used to the simplicity of the registry on a Windows server, then wading through the 7000+ lines that make up the Squid configuration file may make you wonder if you have been transported back in time to the Dark Ages as some sort of punishment.
Note that the WCCP configuration is interface specific on an ASA firewall. You can redirect traffic from many VLANs to the Squid servers using WCCP as long as that traffic travels through the same firewall interface on its way out the door. If you have HTTP traffic in need of redirection entering through another interface on the ASA then you would need to put a Squid server connected to a VLAN on that interface.
WCCP supports the use of multiple proxy servers but you should remember that this is an availability solution rather than a load balanced solution. If a proxy server goes down then the ASA firewall will direct traffic to the next available proxy server. As UDP is used for control, you would need a proper load balancer (F5, Kemp etc.) to properly load balance the proxy servers.
Notes
This solution used an ASA running 8.4.x and a Linux server running Ubuntu 14.x and Squid 3.x. There are too many variations on a Linux/Squid theme to test but the configuration should be similar.
Deployment
Firewall
First configure the ASA firewall. You can do this easily within the GUI but the command line is always more fun. You need to create two access lists – one for the Squid servers and one for the traffic that you want to redirect. So the Squid server (a.b.c.152 and a.b.c.153) list first and we shall call this access list 88.
access-list 88 permit a.b.c.152
access-list 88 permit a.b.c.153
Now we can create an access list to identify the traffic that is to be redirected. Note that we specifically exclude the Squid servers. The student network in this case si 192.168.1.0/24 and the wireless network is 192.168.2.0/24
access-list 89 deny ip host a.b.c.152 any
access-list 89 deny ip host a.b.c.153 any
access-list 89 permit tcp 192.168.1.0 255.255.255.0 any eq 80
access-list 89 permit tcp 192.168.2.0 255.255.255.0 any eq 80
access-list 89 deny ip any any
Then apply the WCCP configuration to the ASA interface, in this case the inside interface.
wccp web-cache redirect-list 89 group-list 88 password strongpassword
wccp interface inside web-cache redirect in
In part 2, we will cover the Squid and Linux server configuration.