I've established a IPsec tunnel between a MikroTik 5.x and a Cisco ASA for a site-to-site connection, but after establishing the tunnel successfully (no errors in log, shows all the correct algorithms in the Installed SAs menu) I don't receive anything back from the remote subnet (in the Installed SAs it shows sent bytes but 0 for received). I've added a Firewall NAT "accept" rule to communicate to the remote subnet.
I have no access to the Cisco device.
Any ideas for what to check ? How can I know the problem is not on MikroTik's end?
I'm not sure if you have the same scenario as I do but let's try. I assume you have private subnets on both ends? Let's say Cisco site has 192.168.10.0/24 and MikroTik site has 192.168.20.0/24. Then you need to exempt your subnets from NAT so it goes through. It was something I had to add to the MikroTik config, it didn't do it automatically. To do this I went (in WinBox) in to IP - Firewall. And on the NAT tab I added one srcnat rule. In the General tab of the rule, the chain is srcnat, Src Address is MikroTik's site subnet, 192.168.20.0/24, Dst Address is the Cisco site subnet, 192.168.10.0/24 and on Action tab it's Accept. Then you have to drag that rule to the top so it's before the masquerade rule. Of course the Cisco has to be set up similiar, i.e. NoNat on the same traffic. Hope this helps.
Users browsing this forum: Bing [Bot], kobuki and 63 guests
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum