Site to Site VPN / IPSEC behind Mikrotik NAT Router

bhill2625 · January 23, 2015, 1:57am

Forgive me if this topic has been covered, I’m sure it has. I searched the forums, but could not find my exact use case.

I have a Mikrotik CRS125-24G-1S-RM configured as my gateway router, working great, love the product. Now, we have a client moving into our building and their company has provided me with a Cisco ASA 5505 to complete their site to site VPN tunnel. I do not want to place the Cisco appliance ahead of our Mikrotik equipment. I have a static public IP configured for the Cisco junk and would like to segregate the client traffic to this device.

I believe that I should establish a NAT-T (Transversal) method to accomplish this goal, but I am not sure. If so, please confirm and I will be glad to provide more specifics, if needed. If not, maybe there is a better method. Can anyone chime in and get me pointed in the right direction?

Thank you!

NathanA · January 23, 2015, 11:03am

Do you have enough public IPs available that you could carve out a /30 for the ASA? Put one IP from the /30 on the CRS and the other on the ASA…no need for any NAT. If the /30 falls within the middle of a larger block, you could enable proxy-arp on the MikroTik to ensure that traffic gets to/from the ASA.

Another option to avoid NAT would be to enable a PPP server on the MikroTik and have the ASA dial-in. PPP would avoid the IP waste involved in a /30, allowing you to directly give just the one public IP to the ASA in the form of a /32. You could either have the ASA dial in with PPPoE, or you could set up a separate RFC1918 network for the port on the CRS facing the ASA, give the ASA a non-routable IP statically or via DHCP, and then have the ASA “dial” into the CRS to get its public IP via PPTP.

One-to-one NAT is always an option, though, as long as the ASA supports NAT-T for IPsec (assuming that IPsec is what they are using for the site-to-site).

– Nathan

bhill2625 · January 23, 2015, 3:12pm

NathanA:

Do you have enough public IPs available that you could carve out a /30 for the ASA? Put one IP from the /30 on the CRS and the other on the ASA…no need for any NAT. If the /30 falls within the middle of a larger block, you could enable proxy-arp on the MikroTik to ensure that traffic gets to/from the ASA.

Another option to avoid NAT would be to enable a PPP server on the MikroTik and have the ASA dial-in. PPP would avoid the IP waste involved in a /30, allowing you to directly give just the one public IP to the ASA in the form of a /32. You could either have the ASA dial in with PPPoE, or you could set up a separate RFC1918 network for the port on the CRS facing the ASA, give the ASA a non-routable IP statically or via DHCP, and then have the ASA “dial” into the CRS to get its public IP via PPTP.

One-to-one NAT is always an option, though, as long as the ASA supports NAT-T for IPsec (assuming that IPsec is what they are using for the site-to-site).

– Nathan

Hi Nathan,

Thanks for the reply and advice!

I think I will forego option 1, I only have a block of 8 statics and don’t want to tie up any more than I have to.

Of the remaining two options, NAT-T sounds like the best option to me. I did a bit of research on the Cisco ASA 5505 and it appears to support IPsec over NAT-T, now I just have to get them to set that up.

Assuming I go NAT-T, can you offer some advice on configuration of the Mikrotik device or lead me to an example? I’m really not sure where to start. I have posted a simple network diagram to help visualize our setup.