Hi
I’ve had an issue with an IPSec tunnel between a Mikrotik router (local) and a Cisco ASA device (remote). The policy comes up as established and from the Cisco I am able to speak to the devices behind the Mikrotik at the other side, however from the Mikrotik I cannot reach the devices behind the Cisco.
The Mikrotik is configured with a PPPoE connection as the primary internet connection. When debugging the connection, it appears as if the interesting traffic is being NATTED out the WAN interface even though, I have confirmed
The traffic selectors are correct on the IPSec policy
Source NAT rules exist to accept the IPSec policy so no NAT is done
Is anyone aware of any issues with this configuration?
You have not shared your config, so I can only speculate here. Since you seem to be testing (pinging?) directly from your Mikrotik device, the test connection is unlikely to be NATed, but rather originated straight from your external IP address, which is not covered by your IPsec policy, I guess.
…
The policy comes up as established and from the Cisco I am able to speak to the devices behind the Mikrotik at the other side, however from the Mikrotik I cannot reach the devices behind the Cisco.
…
. When debugging the connection, it appears as if the interesting > traffic is being NATTED out the WAN interface > even though,
usually, not much of a problem if we ping any remote end from local router. but sometimes ping doesn’t work from end to end devices because of split routing.
so, better to check both routers routing tables with the tunnel on. see their tunnel metric and compare with the default internet route.
if their metric are lower than those to the internet, maybe you need to check your fw settings.