Hi,
I have a problem with routing all traffinc in vpn with a mikrotik.
My scenario is composed by a Cisco ASA 5508 in the master site with a vpn ipsec configured to accept a site to site with dynamic peers. In the remote office I have a mikrotik linked to this ipsec.
office lan (192.168.88.0/24) mikrotik ( 192.168.88.253/24 lan interface) → 3G connection (dynamic ip) <<—>> master site Public IP static - ASA 5508 (192.168.1.253/24) → lan (192.168.1.0/24)
I make a ipsec rule where I specified that the 192.168.88.0/24 to 192.168.1.0/24 go trouth the ipsec tunnel, this go up with no problem and I ping all two site.
Now I want to route all the mikrotik lan traffic (192.168.88.0/24) into the ipsec tunnel also. My goal is make all remote computer surfing web from cisco ASA with the static public IP of the master site.
So, I make a new ipsec route with 0.0.0.0/0 as destination.
Now the remote office can go to all site trouth the vpn but I have the problem that the mikrotik GW is not pingable from my primary site LAN. Why?
Why also if I remove the first strict ipsec rule (192.168.88.0/24 → 192.168.1.0/24) the remote lan computer doesn’t ping the master lan 192.168.1.0/24 ? The 0.0.0.0/0 doesn’t include the 192.168.1.0/24???
Can anyone help me?
Thanks in advance!
I put the rules that I have active in the remote mikrotik:
ipsec section:
/ip ipsec policy add dst-address=192.168.1.0/24 level=unique proposal=proposal1 sa-dst-address=xx.xx.xx.xx sa-src-address=0.0.0.0 src-address=192.168.88.0/24 tunnel=yes
/ip ipsec policy add dst-address=0.0.0.0/0 level=unique proposal=proposal1 sa-dst-address=xx.xx.xx.xx sa-src-address=0.0.0.0 src-address=192.168.88.0/24 tunnel=yes
route section:
/ip route add distance=1 gateway=ppp-out1
nat section:
/ip firewall nat add action=masquerade chain=srcnat comment=“NAT FOR 3G CONNECTION” dst-address=xx.xx.xx.xx out-interface=ppp-out1
xx.xx.xx.xx → is the static public IP of the master site