Community discussions

MikroTik App
 
astuke
newbie
Topic Author
Posts: 41
Joined: Mon Jun 30, 2008 11:02 pm

Cisco Umbrella IPS Deployment

Wed May 04, 2022 11:07 pm

I have a customer with three locations, they have 6 Routers, two at each site.
We have a Metro-E deployed between the sites for site to site without a vpn. We also have a separate Internet connection at each site. The reason they have two routers at each site is because they didn't want an outage if one of the routers quit working.

Cisco Umbrella IPS uses an ipsec tunnel. They want you to direct all Internet traffic through the ipsec tunnel.
I could do this by making the destination address on the ipsec policy 0.0.0.0/0
however this kills everything. None of my internal routes work.
Any ideas on how to make the traffic go out the IPSEC but not kill all of the internal traffic?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Cisco Umbrella IPS Deployment

Wed May 04, 2022 11:45 pm

Exclude internal traffic using IPSec policies with action=none.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Cisco Umbrella IPS Deployment

Wed May 04, 2022 11:46 pm

@astuke, please provide some more detailed info regarding the network topology preferably using a network diagram as well as what kind of equipment is in use, the L2/L3 config, tunnels etc. Also, you need to be more specific regarding what you mean by "how to make the traffic go out the IPSEC but not kill all of the internal traffic" but maybe Sob got you the correct answer.
 
astuke
newbie
Topic Author
Posts: 41
Joined: Mon Jun 30, 2008 11:02 pm

Re: Cisco Umbrella IPS Deployment

Wed May 04, 2022 11:55 pm

Sorry, I was working on finding that diagram and got side tracked.

Each site has it's own Internet it needs all Internet traffic to go to the tunnel for Umbrella, and then to the Internet, each site would have an Umbrella tunnel.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Cisco Umbrella IPS Deployment

Thu May 05, 2022 12:10 am

Are all Cisco boxes?
 
astuke
newbie
Topic Author
Posts: 41
Joined: Mon Jun 30, 2008 11:02 pm

Re: Cisco Umbrella IPS Deployment

Thu May 05, 2022 12:57 am

All of the ROuters are Mikrotik
 
danletkeman
Member Candidate
Member Candidate
Posts: 110
Joined: Mon Oct 18, 2004 5:42 pm

Re: Cisco Umbrella IPS Deployment

Thu May 05, 2022 8:56 pm

Do you have a default route on each router currently? Do you have a routing protocol running on the network currently?
 
astuke
newbie
Topic Author
Posts: 41
Joined: Mon Jun 30, 2008 11:02 pm

Re: Cisco Umbrella IPS Deployment

Thu May 05, 2022 10:54 pm

It' OSPF
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Cisco Umbrella IPS Deployment

Thu May 05, 2022 11:52 pm

Hi again @astuke, instead of answering one question at a time I think you will get better help if you firstly give an overall picture with essential information about for example the network topology and secondly try to be more precise regarding the specific issue you want to solve.

Also btw, the subject line is somewhat misleading as this doesn't appear to be related to Cisco at all.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Cisco Umbrella IPS Deployment

Fri May 06, 2022 8:13 am

I'm sure that your network administrator can figure this out!
 
astuke
newbie
Topic Author
Posts: 41
Joined: Mon Jun 30, 2008 11:02 pm

Re: Cisco Umbrella IPS Deployment

Fri May 06, 2022 2:57 pm

Cisco Umbrella is the product I'm dealing with, it's using a cloud based IPS policy to watch all of the IP's on the network as they try to access the Internet.
 
astuke
newbie
Topic Author
Posts: 41
Joined: Mon Jun 30, 2008 11:02 pm

Re: Cisco Umbrella IPS Deployment

Fri May 06, 2022 2:58 pm

Exclude internal traffic using IPSec policies with action=none.
what does this do exactly?
 
astuke
newbie
Topic Author
Posts: 41
Joined: Mon Jun 30, 2008 11:02 pm

Re: Cisco Umbrella IPS Deployment

Fri May 06, 2022 3:05 pm

Hi again @astuke, instead of answering one question at a time I think you will get better help if you firstly give an overall picture with essential information about for example the network topology and secondly try to be more precise regarding the specific issue you want to solve.

Also btw, the subject line is somewhat misleading as this doesn't appear to be related to Cisco at all.
Cisco Umbrella is the product, I'm not sure how this is misleading, I apologize I just assumed we knew I mean Mikrotiks since I was in the Mikrotik forum, I can be more specific next time.. They need an IPSEC tunnel to them in order for them to make their IPS product work. All Internet traffic from the LAN needs to go out the corresponding IPsec tunnel to cisco Umbrella. If I try to do this on the IPsec tunnel by making the destination 0.0.0.0/0, it tries to send everything across the tunnel so my internal routes no longer work.

https://docs.umbrella.com/umbrella-user ... cs/tunnels
 
astuke
newbie
Topic Author
Posts: 41
Joined: Mon Jun 30, 2008 11:02 pm

Re: Cisco Umbrella IPS Deployment

Fri May 06, 2022 5:00 pm

@astuke, please provide some more detailed info regarding the network topology preferably using a network diagram as well as what kind of equipment is in use, the L2/L3 config, tunnels etc. Also, you need to be more specific regarding what you mean by "how to make the traffic go out the IPSEC but not kill all of the internal traffic" but maybe Sob got you the correct answer.
Maybe so, I still don't understand exactly what that does. I can do some testing

Specifies what to do with packet matched by the policy.
none - pass the packet unchanged.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Cisco Umbrella IPS Deployment

Fri May 06, 2022 11:44 pm

Let's say you have policy to route everything from local subnet 10.0.1.0/24 via tunnel:
/ip ipsec policy
add peer=<peer> src-address=10.0.1.0/24 dst-address=0.0.0.0/0 tunnel=yes action=encrypt
It works great until you need to access another local subnet 10.0.2.0/24. You'll find out that traffic doesn't go there, because IPSec takes it. But you can add another policy before that one:
/ip ipsec policy
add src-address=10.0.1.0/24 dst-address=10.0.2.0/24 action=none
And good news, now it works and you can access local 10.0.2.0/24.
 
astuke
newbie
Topic Author
Posts: 41
Joined: Mon Jun 30, 2008 11:02 pm

Re: Cisco Umbrella IPS Deployment

Sat May 07, 2022 12:33 am

Ok awesome that makes perfect sense now

Who is online

Users browsing this forum: Google [Bot] and 76 guests