The reason why I want to do this is

that one of the routers uses a host in the LAN across the IPsec tunnel as DNS forwarder and NTP server.

It is connection to our branch office and there is no server on that side.

So that it has to use main DNS server of our Windows domain.

I have tried

access-list acl_encrypt permit ip host xxx.xxx.xxx.xxx 172.27.128.0 255.255.240.0

on one side and appropriate

/ip ipsec policy

on MikroTik side but it does not work.

When pinging

from 172.27.128.1 to 172.27.0.1, it works, I can see SA being generated on MikroTik side, 2 packets are rejected and rest of ICMP go through,

from yyy.yyy.yyy.yyy to 172.27.0.1 it does not work, I can see SA being generated on MikroTik side, 2 packets are rejected and then I can see timeouts only.

I can see ISAKMP SAs generated on both sides, same for IPsec SAs,

I can see 2 IPsec SAs,

172.27.128.1/20 to 172.27.0.1/20, inbound/outbound pair

yyy.yyy.yyy.yyy/32 to 172.27.0.1/20 inbound/outbound pair

But connection does not work!

May it be routing problem?

If you could see phase 2 IPSec SA on both sides, could you please check if decrypt/encrypt count is incrementing at both sides?

If it is routing issue, it must be on the other side since from cisco side we have the same destination.

There might be a NAT issue as well. But I am not 100% sure, could you take a look at your ASA log (in debugging level) when you issue the ping? It might give us some clue.

Good point!

Detailed configuration (WAN IPs changed due to company policy)

Cisco ASA WAN: 1.1.1.1, LAN 172.27.0.1/20

MikroTik WAN: 2.2.2.2, LAN 172.27.128.1/20

When I ping from 172.27.0.1/20 to 172.27.128.1/20 (or from other direction)
it works fine and I can see SAs being established
and packet/bytes counters for these SAs being incremented on both sided.

But when I ping from MikroTik 2.2.2.2 to 172.27.0.1, I can see unique SAs
for these peers being established, on MikroTik side I can see bytes counter
for outgoing traffic being increased but not incomming traffic counter being increased.

On Cisco ASA 1.1.1.1 side I can see #pkts decrypt counter being increased
but NOT #pkts encrypt being increased.

When I ping from Cisco ASA 1.1.1.1 to 172.27.128.1
I can see  #pkts encrypt counter is NOT being increased
and byte counters NOT being increased on the other side of IPsec tunnel
(which is clear when no data enters the tunnel on originating side).

It is clear that there is some issue on Cisco ASA side but I am lost and don't know what.
I am much more skilled in MikroTik RouterOS than in Cisco ASA setup.

I would appreciate any clue... Thanks!

In my lab, I can ping from ASA to remote site through the tunnel by using ASA outside interface IP without problem.

Can you post the following info?

- asa config

- when you run the testing, collect the following info

  ASA log

  show crypto ipsec sa peer detail

Here you have Cisco ASA config file. I have previous experience with IOS only, no ASA
so maybe not everything is OK. Any comment or advice is welcome (not only to the issue)!

ASA Version 8.0(3)
!
hostname asa
domain-name company.local
enable password ***** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.27.0.1 255.255.240.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ***** encrypted
boot system disk0:/asa803-k8.bin
boot system disk0:/asa803-19-k8.bin
ftp mode passive
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.27.1.1
domain-name company.local
same-security-traffic permit intra-interface
object-group icmp-type og_icmp_permit
icmp-object echo-reply
icmp-object unreachable
icmp-object source-quench
icmp-object time-exceeded
icmp-object parameter-problem
access-list acl_encrypt extended permit ip 172.27.0.0 255.255.240.0 172.27.128.0 255.255.240.0
access-list acl_encrypt extended permit ip host 1.1.1.1 172.27.128.0 255.255.240.0
access-list acl_inbound_outside extended permit icmp any any object-group og_icmp_permit
access-list acl_no_nat_inside extended permit ip 172.27.0.0 255.255.240.0 172.27.112.0 255.255.255.0
access-list acl_no_nat_inside extended permit ip 172.27.0.0 255.255.240.0 172.27.128.0 255.255.240.0
access-list acl_no_nat_inside extended permit ip host 1.1.1.1 172.27.112.0 255.255.255.0
access-list acl_no_nat_inside extended permit ip host 1.1.1.1 172.27.128.0 255.255.240.0
access-list acl_tunnel_ra_users extended permit ip 172.27.0.0 255.255.240.0 any
access-list acl_tunnel_ra_users extended permit ip 172.27.112.0 255.255.255.0 any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool iplp_ra_users 172.27.112.1-172.27.112.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 3 burst-size 3
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list acl_no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_inbound_outside in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server as_ias_group protocol radius
reactivation-mode timed
max-failed-attempts 5
aaa-server as_ias_group host 172.27.1.1
key *****
aaa-server as_ias_group host 172.27.1.2
key *****
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http ***** 255.255.255.255 inside
http ***** 255.255.255.255 inside
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ts_esp_aes_256_sha esp-aes-256 esp-sha-hmac
crypto dynamic-map cdm_outside 10 set pfs group5
crypto dynamic-map cdm_outside 10 set transform-set ts_esp_aes_256_sha
crypto dynamic-map cdm_outside 10 set security-association lifetime seconds 3600
crypto dynamic-map cdm_outside 10 set security-association lifetime kilobytes 1048576
crypto map cm_outside 10 match address acl_encrypt
crypto map cm_outside 10 set pfs group5
crypto map cm_outside 10 set peer 2.2.2.2
crypto map cm_outside 10 set transform-set ts_esp_aes_256_sha
crypto map cm_outside 10 set security-association lifetime seconds 3600
crypto map cm_outside 10 set security-association lifetime kilobytes 1048576
crypto map cm_outside 65535 ipsec-isakmp dynamic cdm_outside
crypto map cm_outside interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 3600
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
crypto isakmp nat-traversal 60
telnet timeout 3
ssh ***** 255.255.255.255 inside
ssh ***** 255.255.255.255 inside
ssh ***** 255.255.255.255 outside
ssh ***** 255.255.255.255 outside
ssh timeout 10
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
ntp server 172.27.1.1 prefer
ntp server 195.113.144.201
ntp server 195.113.144.238
group-policy gp_ra_users internal
group-policy gp_ra_users attributes
dns-server value 172.27.1.1 172.27.1.2
vpn-tunnel-protocol IPSec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl_tunnel_ra_users
default-domain value company.local
username ***** password ***** encrypted
username ***** password ***** encrypted
username ***** password ***** encrypted
username ***** password ***** encrypted
username ***** password ***** encrypted
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
tunnel-group tg_ra_users_01 type remote-access
tunnel-group tg_ra_users_01 general-attributes
address-pool iplp_ra_users
authentication-server-group as_ias_group
default-group-policy gp_ra_users
password-management
tunnel-group tg_ra_users_01 ipsec-attributes
pre-shared-key *****
tunnel-group tg_ra_users_01 ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect pptp
inspect icmp error
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
: end

Here is IPsec SAs details:

peer address: 2.2.2.2
Crypto map tag: cdm_outside, seq num: 10, local addr: 1.1.1.1

local ident (addr/mask/prot/port): (172.27.0.0/255.255.240.0/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer: 2.2.2.2

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 3391, #pkts decrypt: 3391, #pkts verify: 3391
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2

path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 03DF2B4E

inbound esp sas:
spi: 0xEDA33A35 (3986897461)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 4452352, crypto-map: cdm_outside
sa timing: remaining key lifetime (sec): 2003
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x03DF2B4E (64957262)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 4452352, crypto-map: cdm_outside
sa timing: remaining key lifetime (sec): 2003
IV size: 16 bytes
replay detection support: Y

Crypto map tag: cm_outside, seq num: 10, local addr: 1.1.1.1

access-list acl_encrypt permit ip 172.27.0.0 255.255.240.0 172.27.128.0 255.255.240.0
local ident (addr/mask/prot/port): (172.27.0.0/255.255.240.0/0/0)
remote ident (addr/mask/prot/port): (172.27.128.0/255.255.240.0/0/0)
current_peer: 2.2.2.2

#pkts encaps: 78205, #pkts encrypt: 78205, #pkts digest: 78205
#pkts decaps: 114536, #pkts decrypt: 114536, #pkts verify: 114536
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 78205, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2

path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 074F3BCD

inbound esp sas:
spi: 0x1D2DB776 (489535350)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 4452352, crypto-map: cm_outside
sa timing: remaining key lifetime (sec): 1994
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x074F3BCD (122633165)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 4452352, crypto-map: cm_outside
sa timing: remaining key lifetime (sec): 1994
IV size: 16 bytes
replay detection support: Y

I know there will be some simple "stupid" issue but I watch it again and again
but I am blind to it already...

Thank you for your help in advance!

In your "show crypto ipsec sa" output, I did not see any SA related to the following, I am not sure if you modified the IP incorrectly.

access-list acl_encrypt extended permit ip host 1.1.1.1 172.27.128.0 255.255.240.0

I was suspecting the NAT, but after I applied the similar NAT config in my lab setup, my vpn just worked fine.

Could you please change your logging buffer to debuggging level? and then collect the log after you try to ping 172.27.128.x from this ASA.

Output of

show crypto ipsec sa

was not modified, public IP addresses were changed by search & replace only.

[admin@MikroTik] > /ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=172.27.128.0/20:any dst-address=172.27.0.0/20:any protocol=all action=encrypt level=unique
     ipsec-protocols=esp tunnel=yes sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 proposal=aes-256-sha1-dh5
     priority=0

1   src-address=2.2.2.2/32:any dst-address=172.27.0.0/20:any protocol=all action=encrypt level=unique
     ipsec-protocols=esp tunnel=yes sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 proposal=aes-256-sha1-dh5

I have enabled debug logging on MikroTik device and when I tried to ping from Cisco ASA (using WAN interface) to LAN behind MikroTik (172.27.128.2) I was getting this error message:

00:46:04 ipsec respond new phase 2 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
00:46:04 ipsec no policy found: 1.1.1.1/32[0] 172.27.128.0/20[0] proto=any dir=in
00:46:04 ipsec failed to get proposal for responder.
00:46:04 ipsec failed to pre-process packet.
00:46:12 ipsec respond new phase 2 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
00:46:12 ipsec no policy found: 1.1.1.1/32[0] 172.27.128.0/20[0] proto=any dir=in
00:46:12 ipsec failed to get proposal for responder.
00:46:12 ipsec failed to pre-process packet.
00:46:20 ipsec respond new phase 2 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
00:46:20 ipsec no policy found: 1.1.1.1/32[0] 172.27.128.0/20[0] proto=any dir=in
00:46:20 ipsec failed to get proposal for responder.
00:46:20 ipsec failed to pre-process packet.

And this is what I get on Cisco side:

Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 12726688 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 12726351 messages logged
10 01:01:29: %ASA-3-305005: No translation group found for udp src outside:2.2.2.2/123 dst inside:172.27.1.1/123
Dec 21 2010 01:01:29: %ASA-7-609002: Teardown local-host inside:172.27.1.1 duration 0:00:00
Dec 21 2010 01:01:41: %ASA-7-609002: Teardown local-host outside:65.55.227.154 duration 0:01:05
Dec 21 2010 01:01:44: %ASA-7-609001: Built local-host inside:172.27.1.1
Dec 21 2010 01:01:44: %ASA-3-305005: No translation group found for udp src outside:2.2.2.2/123 dst inside:172.27.1.1/123
Dec 21 2010 01:01:44: %ASA-7-609002: Teardown local-host inside:172.27.1.1 duration 0:00:00
Dec 21 2010 01:01:48: %ASA-3-713902: Group = 2.2.2.2, IP = 2.2.2.2, QM FSM error (P2 struct &0xd5557438, mess id 0x92bbbc4a)!
Dec 21 2010 01:01:48: %ASA-7-715065: Group = 2.2.2.2, IP = 2.2.2.2, IKE QM Initiator FSM error history (struct &0xd5557438)  , :  QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Dec 21 2010 01:01:48: %ASA-7-713906: Group = 2.2.2.2, IP = 2.2.2.2, sending delete/delete with reason message
Dec 21 2010 01:01:48: %ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
Dec 21 2010 01:01:48: %ASA-1-713900: Group = 2.2.2.2, IP = 2.2.2.2, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Dec 21 2010 01:01:48: %ASA-7-715009: Group = 2.2.2.2, IP = 2.2.2.2, IKE Deleting SA: Remote Proxy 172.27.128.0, Local Proxy 1.1.1.1
Dec 21 2010 01:01:48: %ASA-3-713902: Group = 2.2.2.2, IP = 2.2.2.2, Removing peer from correlator table failed, no match!
Dec 21 2010 01:01:48: %ASA-7-715077: Pitcher: received key delete msg, spi 0xe130b9a9
Dec 21 2010 01:01:55: %ASA-7-609001: Built local-host outside:172.27.128.1
Dec 21 2010 01:01:55: %ASA-6-302020: Built inbound ICMP connection for faddr 172.27.128.1/1001 gaddr 172.27.1.1/0 laddr 172.27.1.1/0
Dec 21 2010 01:01:55: %ASA-6-302021: Teardown ICMP connection for faddr 172.27.128.1/1001 gaddr 172.27.1.1/0 laddr 172.27.1.1/0
Dec 21 2010 01:01:55: %ASA-7-609002: Teardown local-host outside:172.27.128.1 duration 0:00:00
Dec 21 2010 01:01:56: %ASA-7-609001: Built local-host outside:172.27.128.1
Dec 21 2010 01:01:56: %ASA-6-302020: Built inbound ICMP connection for faddr 172.27.128.1/1001 gaddr 172.27.1.1/0 laddr 172.27.1.1/0
Dec 21 2010 01:01:56: %ASA-6-302021: Teardown ICMP connection for faddr 172.27.128.1/1001 gaddr 172.27.1.1/0 laddr 172.27.1.1/0
Dec 21 2010 01:01:56: %ASA-7-609002: Teardown local-host outside:172.27.128.1 duration 0:00:00
Dec 21 2010 01:01:59: %ASA-7-609001: Built local-host inside:172.27.1.1
Dec 21 2010 01:01:59: %ASA-3-305005: No translation group found for udp src outside:2.2.2.2/123 dst inside:172.27.1.1/123
Dec 21 2010 01:01:59: %ASA-7-609002: Teardown local-host inside:172.27.1.1 duration 0:00:00

So it is clear there is some misconfiguration in IPsec policies.

But I don't know where... I still cannot see it... even now when it has to be clear...

First, I would like to clarify what you would like to implement.

Per my understanding, you try to let traffic initiated from 1.1.1.1 (ASA outside IP) to Network "172.27.128.0 255.255.240.0" (which is behind MikroTik)

If yes, ASA setup is correct. But on MikroTik, you need setup a IPSec policy for traffic with source IP "172.27.128.0 255.255.240.0" to destination 1.1.1.1.

Currently, on MikroTik, you have the below policy which is for traffic from MikroTik wan IP to the network behind ASA.

1   src-address=2.2.2.2/32:any dst-address=172.27.0.0/20:any protocol=all action=encrypt level=unique
     ipsec-protocols=esp tunnel=yes sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 proposal=aes-256-sha1-dh5

If you need 2.2.2.2 to access 172.27.0.0/20 network, you need add one more entry in crypto ACL on ASA like "permit ip 172.27.0.0 255.255.240.0 host 2.2.2.2" to match the above policy in MikroTik.

Sorry for "Christmas delay"...

I'm back to continue with troubleshooting...

Here you have my setup:

With my current setup I can access one LAN from another over IPsec tunnel (172.27.0.0/20 <> 172.27.128.0/20)
What I would like to achieve is that MikroTik will use 172.27.1.1 as a DNS forwarder and NTP server.

When I set it up I can traffic 2.2.2.2 > 172.27.1.1 in MikroTik log.

I have NAT rule that bypass this traffic from NATting on MikroTik side

as well as IPsec rule to tunnel 2.2.2.2 to 172.27.0.0/20 traffic using unique SAs.
I can see byte counter of outgoing SA being incremented when I try to ping

from MikroTik WAN interface (2.2.2.2) to 172.27.1.1.

But I get no reply, incoming SA byte counter is not incremented.

Now I have found I can see this in Cisco logging buffer:

Jan 01 2011 14:31:58: %ASA-3-305005: No translation group found for icmp src outside:2.2.2.2 dst inside:172.27.1.1 (type 8, code 0)

Jan 01 2011 14:38:46: %ASA-3-305005: No translation group found for udp src outside:2.2.2.2/123 dst inside:172.27.1.1/123

I guess NAT on Cisco side is the root for the issue.

But because I am not too familiar with Cisco NAT logic I think I still need help...

I would setup access from Cisco ASA (1.1.1.1) to other LAN (172.27.128.0/20) "as a bonus" as well then,
it could be useful e.g. for troubleshooting

For the traffic from 2.2.2.2 to 172.27.1.1, you need to bypass it from NAT translation on ASA.

Please add the following,

access-list acl_no_nat_inside extended permit ip host 172.27.1.1 host 2.2.2.2

Yes, with this setup specific communication (2.2.2.2 to 172.27.1.1) works fine, thanks.

But then I cannot reach 2.2.2.2 from 172.27.1.1 when IPsec tunnel is down.

Anyhow, it can be price that can be paid.

But I just now I have found much simplier solution,
elegant and exactly one that fulfil all my needs, routing.

I can't understand why I did not come with this before
because I use it on other MikroTik devices already!

On MikroTik side (2.2.2.2) I set up routing (line 2):

[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
  #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
  0 ADS  0.0.0.0/0                          2.2.2.1            1
  1 ADC  172.27.128.0/20    172.27.128.1    lan                0
2 A S  172.27.0.0/20      172.27.128.1    lan                1

so that MikroTik, when trying to reach 172.27.0.0/20, will use its LAN IP address,
172.27.128.1, instead of default route and its public IP address.

Who can I set this up on the Cisco ASA?
So that outgoing traffic from Cisco ASA to 172.27.128.0/20 will leave ASA with its LAN IP (172.27.0.1)
and not WAN IP (1.1.1.1)?

route outside 0.0.0.0 0.0.0.0 1.1.1.254 1

route inside 172.27.128.0 255.255.240.0 172.27.0.1

does not do its job...

Anyhow, thank you very much for your patient help...!