Hello
I could need a little hint in the right direction.
Situation:
established IPSEC-Tunnel between a Mikrotik RB 1000 (6.27) an a CISCO (unknown).
I receive a connection from a network y.y.y.y/24 through the tunnel (Dst.IP x.x.x.x/32 port 4242 (not a local IP on the router)) an have to rewrite it to an IP z.z.z.z/32 port 4242 on the local net.
I insert a NAT-rule which works (the request reaches the local IP) but the answer from the local server gets lost. (I saw the packages coming out of the server but they didn’t find their way back into the IPSEC-Tunnel)
chain=dstnat action=dst-nat to-addresses=z.z.z.z to-ports=4242 protocol=tcp src-address=y.y.y.y/24 dst-address=x.x.x.x dst-port 4242
Any ideas ???
With an IPSec tunnel you shouldn’t have to use dst-nat.
All clients on each side of the tunnel should be able to connect to any remote client via the remote client’s private IP.
How it works:
The server on the Cisco network sends a packet destined for your server’s private IP. Since the packet is not part of source server’s subnet, the packet gets sent to its gateway, the Cisco router. The Cisco checks it’s IPSec policies to determine if it should be routed over the tunnel. The packet then gets wrapped inside a UDP packet. The UDP packet is destined for your Mikrotik’s public IP.
Your Mikrotik receives the packet, unwraps it and drops it into the routing logic. Since the packet has your server’s private IP, it gets routed as a normal packet.
Then when your server replies, it should be replying to the remote server’s private IP.
So no need for dst-nat.
But if your scenario does need dst-nat, you’ll need a corresponding src-nat rule. Otherwise the replies from your server may make it back to the remote server however the remote server will drop the packet because it doesn’t have a connection with your server’s private IP, instead it has a connection with your Mikrotik’s public IP. So the src nat rule would rewrite outbound packets with the Mikrotik’s public IP.
I also found this scenario on our network, is it possible to add dstnat after IPSEC Tunnel? do we need to add another srcnat rule to establish the way back?