Vpn IPSEC cisco asa y mikrotik

Otra entrada que es un apunte.

Hoy toca detallar la configuración de una vpn ipsec entre un cisco ASA y una mikrotik x86.

Escenario:

EQUIPO
192.168.0.1
<->
CISCO ASA
192.168.0.254 INSIDE
1.1.1.1 OUTSIDE
<->
INTERNET
<->
MIKROTIK
192.168.11.254 INSIDE
2.2.2.2 OUTSIDE
<->
EQUIPO
192.168.11.1/24

Con este esquema, empezamos las configuraciones del lado mikrotik:


/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=md5,sha1 disabled=no enc-algorithms=3des lifetime=59m59s name=cisco pfs-group=modp1024

/ip ipsec peer
add address=1.1.1.1/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=obey
secret=miSuperSecreto send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.0.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all
sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=192.168.11.0/24 src-port=any tunnel=yes
/ip neighbor discovery

Y la regla de NAT para evitarlo dentro del tunel IPSEC:


/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.0.0/24 src-address=192.168.11.0/24

Y ahora la parte cisco:

access-list 100 remark --> acl denegar nat vpn
access-list 100 extended permit ip redLocal 255.255.255.0 192.168.11.0 255.255.255.0
access-list 110 remark --> acl permitir_vpn
access-list 110 extended permit ip redLocal 255.255.255.0 192.168.11.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 192.168.0.0 255.255.255.0
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic dynmap
crypto map dyn-map 30 match address 110
crypto map dyn-map 30 set peer 2.2.2.2
crypto map dyn-map 30 set transform-set myset
crypto map dyn-map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 10
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key miSuperSecreto

Hacemos un ping en los extremos para generar tráfico interesante en la vpn y listos !!!!!!

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

*

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.