Foreword

This tutorial will show you how to transparently filter HTTP and HTTPS traffic using Cisco ASA firewall, Squid proxy and Web Safety ICAP web filter with the help of WCCP traffic redirection.

This tutorial assumes the following network deployment scheme.

  1. Cisco ASA firewall (version 5505) is deployed as network gateway. Its internal address is 192.168.6.1, netmask 255.255.255.0. External address is configured by DHCP or statically by the ISP.
  2. Cisco ASA firewall acts as DHCP server for the internal network assigning dynamic addresses from 192.168.6.0 subnet with network mask set to 255.255.255.0. All computers in internal network have 192.168.6.1 set as default gateway.
  3. There is a Squid proxy integrated with Web Safety ICAP web filter running within virtual appliance downloaded from https://www.diladele.com/virtual_appliance.html (use version 7.0!) deployed in VMware vSphere/ESXi. IP address of proxy is set statically to 192.168.6.15.
  4. We strive to transparently redirect, decrypt and filter both HTTP and HTTPS traffic from our network without the need to configure anything on internal computers. Redirection will be done using WCCPv2 protocol.

The following diagram illustrates our network.

../../_images/network4.png

Warning

Please note our network design assumes that Squid proxy is located in the same subnet as the client workstations. This is not always optimal but unfortunately Cisco ASA supports only this kind of deployments. For more complex network designs please see Squid Wiki at http://wiki.squid-cache.org/ConfigExamples/Intercept