{"id":910,"date":"2013-08-06T01:08:16","date_gmt":"2013-08-05T23:08:16","guid":{"rendered":"http:\/\/diablo.craem.net\/wordpress\/?p=910"},"modified":"2013-08-06T01:08:16","modified_gmt":"2013-08-05T23:08:16","slug":"policy-based-routing-cisco-y-mikrotik-tunnel-ipip-y-nat-1","status":"publish","type":"post","link":"https:\/\/diablo.craem.net\/?p=910","title":{"rendered":"Policy Based Routing Cisco y Mikrotik, tunnel IPIP y NAT (1)"},"content":{"rendered":"<p>Esta entrada, con diferencia, es una de las configuraciones que m\u00e1s me ha hecho sudar la gota gorda&#8230;. intervienen varios factores:<br \/>\n1\u00ba) Tengo un proveedor de servicio que me proporciona 8 ip&#8217;s p\u00fablicas<br \/>\n2\u00ba) Tengo que llegar con mi conexi\u00f3n al proveedor<br \/>\n3\u00ba) Hago un tunel IPIP entre la Mikrotik y mi router cisco<br \/>\n4\u00ba) Hay que usar nat<br \/>\nEl motivo es que, necesito usar esas 8 ip&#8217;s y s\u00f3lo determinados equipos, saldr\u00e1n por el tunnel IP \/ ip&#8217;s p\u00fablicas; el resto de m\u00e1quinas de mi casa, saldr\u00e1 por la conexi\u00f3n normal que tengo.<br \/>\nPrimero de todo, har\u00e9 la config y el esquema con cisco como cliente y mikrotik como servidor:<br \/>\n<a href=\"https:\/\/diablo.craem.net\/wp-content\/uploads\/2013\/08\/ipip1.png\"><img fetchpriority=\"high\" decoding=\"async\" src=\"https:\/\/diablo.craem.net\/wp-content\/uploads\/2013\/08\/ipip1.png\" alt=\"ipip1\" width=\"675\" height=\"457\" class=\"aligncenter size-full wp-image-911\" \/><\/a><br \/>\nEmpezamos por la configuraci\u00f3n de la mikrotik:<br \/>\n<code><br \/>\n\/interface ipip<br \/>\nadd disabled=no dscp=0 local-address=3.3.3.3 mtu=1480 name=ipip_craem remote-address=2.2.2.2<br \/>\n\/ip address<br \/>\nadd address=192.168.194.1\/30 disabled=no interface=ipip_craem network=192.168.194.0<br \/>\nadd disabled=no distance=1 dst-address=1.1.1.1\/32 gateway=192.168.194.2 scope=30 target-scope=10<br \/>\nadd disabled=no distance=1 dst-address=1.1.1.2\/32 gateway=192.168.194.2 scope=30 target-scope=10<br \/>\nadd disabled=no distance=1 dst-address=1.1.1.3\/32 gateway=192.168.194.2 scope=30 target-scope=10<br \/>\nadd disabled=no distance=1 dst-address=1.1.1.4\/32 gateway=192.168.194.2 scope=30 target-scope=10<br \/>\nadd disabled=no distance=1 dst-address=1.1.1.5\/32 gateway=192.168.194.2 scope=30 target-scope=10<br \/>\nadd disabled=no distance=1 dst-address=1.1.1.6\/32 gateway=192.168.194.2 scope=30 target-scope=10<br \/>\n<\/code><br \/>\nPrimero creamos el tunnel, le damos la ip y, para no perder la de red y broadcast, negociamos con el proveedor que nos la enrute una a una, tras pagarle unas cervezas al t\u00e9cnico \ud83d\ude09<br \/>\nY ahora el lado Cisco; empezamos por el tunnel:<br \/>\n<code><br \/>\n<strong>interface Tunnel7<\/strong><br \/>\n description TUNNEL proveedor \/29<br \/>\n ip address 192.168.194.2 255.255.255.252 --> ip privada del tunnel<br \/>\n ip mtu 1480  --> ajustamos el mtu<br \/>\n ip nat outside --> mis m\u00e1quinas est\u00e1n detr\u00e1s del firewall, con NAT<br \/>\n ip virtual-reassembly<br \/>\n ip policy route-map prov_lan --> policy route aplicado<br \/>\n qos pre-classify --> aplico QoS antes de meter en el tunnel<br \/>\n tunnel source 2.2.2.2 --> ip p\u00fablica mia<br \/>\n tunnel destination 3.3.3.3 --> ip destino<br \/>\n tunnel mode ipip --> modo del tunnel<br \/>\n<\/code><br \/>\nCreamos la pol\u00ed\u00adtica:<br \/>\n<code><br \/>\nip local policy route-map prov_map<br \/>\n<\/code><br \/>\nMetemos en un access-list las ip&#8217;s que tendr\u00e1n salida por el tunnel:<br \/>\n<code><br \/>\naccess-list 112 remark -> ACL NAT prov IPS PUBLICAS<br \/>\naccess-list 112 permit ip host 172.26.2.9 any<br \/>\naccess-list 112 permit ip host 172.26.2.11 any<br \/>\naccess-list 112 permit ip host 172.26.2.5 any<br \/>\naccess-list 112 permit ip host 172.26.2.6 any<br \/>\naccess-list 112 permit ip host 172.26.2.12 any<br \/>\n<\/code><br \/>\nHacemos el route-map para identificar los paquetes:<br \/>\n<code><br \/>\nroute-map prov_lan permit 10<br \/>\n match ip address 112<br \/>\n set interface Tunnel7<br \/>\n<\/code><br \/>\nY ahora, nacemos el nat de las privadas a las p\u00fablicas de nuestro proveedor:<br \/>\n<code><br \/>\nip nat inside source static 172.26.2.9 1.1.1.1<br \/>\nip nat inside source static 172.26.2.11 1.1.1.2<br \/>\nip nat inside source static 172.26.2.5 1.1.1.3<br \/>\nip nat inside source static 172.26.2.6 1.1.1.4<br \/>\nip nat inside source static 172.26.2.12 1.1.1.5<br \/>\n<\/code><br \/>\nSi no ponemos el nat en el tunnel; no habr\u00e1 traducci\u00f3n y no podremos usar las ip&#8217;s.<br \/>\nAhora hemos de aplicar el policy-map a los interfaces:<br \/>\n<code><br \/>\ninterface FastEthernet0\/0<br \/>\n bandwidth 6096<br \/>\n ip address dhcp<br \/>\n ip flow ingress<br \/>\n ip nat outside<br \/>\n ip virtual-reassembly<br \/>\n<strong> ip policy route-map rlan_map<\/strong><br \/>\ninterface GigabitEthernet0\/1\/0<br \/>\n ip address 172.26.2.20 255.255.255.0<br \/>\n ip flow ingress<br \/>\n ip nat inside<br \/>\n ip virtual-reassembly<br \/>\n ip policy route-map rlan_map<br \/>\n negotiation auto<br \/>\n<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Esta entrada, con diferencia, es una de las configuraciones que m\u00e1s me ha hecho sudar la gota gorda&#8230;. intervienen varios factores: 1\u00ba) Tengo un proveedor de servicio que me proporciona 8 ip&#8217;s p\u00fablicas 2\u00ba) Tengo que llegar con mi conexi\u00f3n al proveedor 3\u00ba) Hago un tunel IPIP entre la Mikrotik y mi router cisco 4\u00ba) [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,6,8],"tags":[41,107,119,143,184],"class_list":["post-910","post","type-post","status-publish","format-standard","hentry","category-cisco","category-mikrotik","category-varios","tag-cisco","tag-mikrotik","tag-nat","tag-policy-based-routing","tag-tunnel-ipip"],"_links":{"self":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/910","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=910"}],"version-history":[{"count":0,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/910\/revisions"}],"wp:attachment":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=910"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=910"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=910"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}