Dear Sir,
I still don't understand about it. You said I have problem with IP address.
I want to verify it again:
For AD server
IP: 192.168.20.22
Secret: 123456
For Mikrotik Ethernet:
Public: 192.168.20.15
G.W : 192.168.20.8
DNS : 192.168.20.23
Local: 10.10.10.1
I didn't say you definitely have a problem with IP addresses, I suggested you check for that. I can't see your router configuration and IAS configuration so all I can do is guess. What did you set as the NAS IP address on IAS?
For NAT I set: ip firewall nat>add chain=srcnat action=masquerade src-address=10.10.10.0/24 . Is it correct or not?
Depends. If you want to hide the 10.10.10.0/24 network behind 192.168.20.15 then yes, that is correct. That's a network design question, so the answer depends on the network design you're going for. Personally I only NAT at the AS border - the handoff point to the ISP. Everything I have control over is routed and not NAT'd.
Why Clients under Mikrotik(Network: 10.10.10.0/24) can Ping to Network: 192.168.20.0/24, but Network range 192.168.20.0/24 can't ping back to Network: 10.10.10.0/24 ?
Do you have any advice for this? can you show me the code to solve this problem?
Because hosts on 192.168.20.0/24 don't have a route back to 10.10.10.0/24, and because you're NATing 10.10.10.0/24 to 192.168.20.15 according to what you posted, so that's what 192.168.20.0/24 sees the pings as coming from. 192.168.20.0/24 is completely unaware that 10.10.10.0/24 exists. If that's not what you want, you need to change your NAT configuration and install a route at least on the default gateway serving hosts on 192.168.20.0/24 pointing to 10.10.10.0/24 through 192.168.20.15.