MikroTik router to CISCO PIX Firewall IPSEC
From MikroTik Wiki
Cisco PIX Firewall
PIX Version 6.3(5)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
!
!--- Create access list that matches traffic that should be encrypted (traffic to RouterOS device)
access-list myacl permit ip 172.22.2.0 255.255.255.0 172.22.2.0 255.255.255.0
!
!--- Create access list that matches traffic that should not be NATed (traffic to RouterOS device)
access-list nonat permit ip 172.22.2.0 255.255.255.0 172.22.1.0 255.255.255.0
!
!--- Configuring NAT
ip address outside 10.0.0.2 255.255.255.252
ip address inside 172.22.2.1 255.255.255.0
!
global (outside) 1 10.0.0.2
!
!--- Do not make NAT for traffic to RouterOS device
nat (inside) 0 access-list nonat
nat (inside) 1 172.22.2.0 255.255.255.0 0 0
!
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
!
sysopt connection permit-ipsec
!
!--- Create IPsec transform set - transformations that should be applied to
!--- traffic - ESP encryption with DES and ESP authentication with SHA1
!--- This must match "/ip ipsec proposal"
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
!
!--- Create crypto map that will use transform set "myset", use peer 10.0.1.1
!--- to establish SAs and encapsulate traffic and use access-list myacl to
!--- match traffic that should be encrypted
crypto map mymap 21 ipsec-isakmp
crypto map mymap 21 match address myacl
crypto map mymap 21 set peer 10.0.0.1
crypto map mymap 21 set transform-set myset
crypto map mymap interface outside
!
!--- Configure ISAKMP policy (phase1 config, must match configuration
!--- of "/ip ipsec peer" on RouterOS).
isakmp enable outside
!--- Add preshared key to be used when talking to RouterOS
isakmp key gvejimezyfopmekun address 10.0.0.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
: end
Cisco Router
!--- Configure ISAKMP policy (phase1 config, must match configuration
!--- of "/ip ipsec peer" on RouterOS). Note that DES is default
!--- encryption algorithm on Cisco. SHA1 is default authentication
!--- algorithm
crypto isakmp policy 20
authentication pre-share
hash md5
exit
!
!--- Add preshared key to be used when talking to RouterOS
crypto isakmp key gvejimezyfopmekun address 10.0.0.1
!
! Create IPsec transform set - transformations that should be applied to
! traffic - ESP encryption with DES and ESP authentication with SHA1
! This must match "/ip ipsec proposal"
crypto ipsec transform-set myset esp-des esp-sha-hmac
mode tunnel
exit
!
!
!--- Create crypto map that will use transform set "myset", use peer 10.0.1.1
!--- to establish SAs and encapsulate traffic and use access-list 101 to
!--- match traffic that should be encrypted
crypto map mymap 10 ipsec-isakmp
set peer 10.0.1.1
set transform-set myset
set pfs group2
match address 101
exit
!
!
!--- And finally apply crypto map to outside interface
interface Ethernet0
ip address 10.0.0.1 255.255.255.252
no ip directed-broadcast
ip nat outside
crypto map mymap
!
interface Ethernet1
ip address 172.22.2.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
!
!--- Create NAT pool
ip nat pool mypool 10.0.0.2 10.0.0.2 netmask 255.255.255.252
!
!--- Do not make NAT for traffic to RouterOS device
ip nat inside source route-map nonat pool mypool overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
!--- Create access list that matches traffic that should be encrypted (traffic to RouterOS device)
access-list 101 permit ip 172.22.2.0 0.0.0.255 172.22.1.0 0.0.0.255
!
!--- Create access list that matches traffic that should not be NATed (traffic to RouterOS device):
access-list 102 deny ip 172.22.2.0 0.0.0.255 172.22.1.0 0.0.0.255
access-list 102 permit ip 172.22.2.0 0.0.0.255 any
!
!--- Create route-map for traffic that should be NATed
route-map nonat permit 10
match ip address 102
!
end
