MikroTik router to CISCO PIX Firewall IPSEC

From MikroTik Wiki
Revision as of 16:15, 1 February 2009 by Enk (talk | contribs)
Jump to: navigation, search

Mikrotik Router Add accept and masquerading rules in SRC-NAT 

    [admin@Mikrotik] > ip firewall nat add chain=srcnat src-address=172.22.1.0/24 \
    \... dst-address=172.22.2.0/24 action=accept
    [admin@Mikrotik] > ip firewall nat add chain=srcnat out-interface=public \
    \... action=masquerade

Add peer (with phase1 configuration parameters), DES and SHA1 will be used to protect IKE traffic for MikroTik router 

    [admin@MikroTik] > ip ipsec peer add address=10.0.1.2 \
    \... secret="gvejimezyfopmekun" enc-algorithm=des

Set encryption proposal (phase2 proposal - settings that will be used to encrypt actual data) to use DES to encrypt data for MikroTik router 

    [admin@MikroTik] > ip ipsec proposal set default enc-algorithms=des

Add policy rule that matches traffic between subnets and requires encryption with ESP in tunnel mode for MikroTik router 

    [admin@MikroTik] > ip ipsec policy add \
    \... src-address=172.22.1.0/24 dst-address=172.22.2.0/24 action=encrypt \
    \... tunnel=yes sa-src=10.0.1.1 sa-dst=10.0.1.2

Cisco PIX Firewall 

    PIX Version 6.3(5)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    !
    !--- Create access list that matches traffic that should be encrypted (traffic to RouterOS device)
    access-list myacl permit ip 172.22.2.0 255.255.255.0 172.22.2.0 255.255.255.0 
    !
    !---  Create access list that matches traffic that should not be NATed (traffic to RouterOS device)
    access-list nonat permit ip 172.22.2.0 255.255.255.0 172.22.1.0 255.255.255.0 
    !
    !--- Configuring NAT
    ip address outside 10.0.0.2 255.255.255.252
    ip address inside 172.22.2.1 255.255.255.0
    !
    global (outside) 1 10.0.0.2
    !
    !--- Do not make NAT for traffic to RouterOS device
    nat (inside) 0 access-list nonat
    nat (inside) 1 172.22.2.0 255.255.255.0 0 0
    !
    route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
    !
    sysopt connection permit-ipsec
    !
    !--- Create IPsec transform set - transformations that should be applied to
    !--- traffic - ESP encryption with DES and ESP authentication with SHA1
    !--- This must match "/ip ipsec proposal"
    crypto ipsec transform-set myset esp-des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 1800  
    !
    !--- Create crypto map that will use transform set "myset", use peer 10.0.1.1
    !--- to establish SAs and encapsulate traffic and use access-list myacl to
    !--- match traffic that should be encrypted
    crypto map mymap 21 ipsec-isakmp
    crypto map mymap 21 match address myacl
    crypto map mymap 21 set peer 10.0.0.1 
    crypto map mymap 21 set transform-set myset
    crypto map mymap interface outside
    !
    !--- Configure ISAKMP policy (phase1 config, must match configuration
    !--- of "/ip ipsec peer" on RouterOS).
    isakmp enable outside
    !--- Add preshared key to be used when talking to RouterOS
    isakmp key gvejimezyfopmekun address 10.0.0.1 netmask 255.255.255.255 
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    : end

Cisco Router 

    !--- Configure ISAKMP policy (phase1 config, must match configuration
    !--- of "/ip ipsec peer" on RouterOS). Note that DES is default 
    !--- encryption algorithm on Cisco. SHA1 is default authentication
    !--- algorithm
    crypto isakmp policy 20
      authentication pre-share
      hash md5
      exit
    !
    !--- Add preshared key to be used when talking to RouterOS
    crypto isakmp key gvejimezyfopmekun address 10.0.0.1
    !         
    ! Create IPsec transform set - transformations that should be applied to
    ! traffic - ESP encryption with DES and ESP authentication with SHA1
    ! This must match "/ip ipsec proposal"
    crypto ipsec transform-set myset esp-des esp-sha-hmac
      mode tunnel                                        
      exit 
    !
    !
    !--- Create crypto map that will use transform set "myset", use peer 10.0.1.1
    !--- to establish SAs and encapsulate traffic and use access-list 101 to
    !--- match traffic that should be encrypted
    crypto map mymap 10 ipsec-isakmp
      set peer 10.0.1.1
      set transform-set myset
      set pfs group2
      match address 101
      exit
    !
    !
    !--- And finally apply crypto map to outside interface
    interface Ethernet0
    ip address 10.0.0.1 255.255.255.252
    no ip directed-broadcast
    ip nat outside
    crypto map mymap
    !
    interface Ethernet1
    ip address 172.22.2.1 255.255.255.0
    no ip directed-broadcast
    ip nat inside
    !
    !
    !--- Create NAT pool
    ip nat pool mypool 10.0.0.2 10.0.0.2 netmask 255.255.255.252
    !
    !--- Do not make NAT for traffic to RouterOS device
    ip nat inside source route-map nonat pool mypool overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.0.0.1
    !
    !---  Create access list that matches traffic that should be encrypted (traffic to RouterOS device)
    access-list 101 permit ip 172.22.2.0 0.0.0.255 172.22.1.0 0.0.0.255
    !
    !---  Create access list that matches traffic that should not be NATed (traffic to RouterOS device):
    access-list 102 deny   ip 172.22.2.0 0.0.0.255 172.22.1.0 0.0.0.255
    access-list 102 permit ip 172.22.2.0 0.0.0.255 any
    !
    !--- Create route-map for traffic that should be NATed
    route-map nonat permit 10
    match ip address 102
    !         
    end

Writted by ShadOS.

Retrieved from "https://wiki.mikrotik.com/index.php?title=MikroTik_router_to_CISCO_PIX_Firewall_IPSEC&oldid=10774"