dst-nat problem 3 interfaces.

deh384 · March 3, 2007, 3:16am

I can't get dst-nat to work from the public to private networks.
The src-nat works well and with the correct src address.
Please help me.

Configuration is 3 interfaces.
eth1 - public - 10.100.0.254/29
to ISP default route 10.100.0.248
eth2 - routed network from ISP - 10.90.0.126/26
This is where all the servers are connected.
A second address in the interface 10.90.0.100
for the private net nat.
eth3 - privated nat network - 192.168.12.254/24
The private machines are here and 1 private server

/ ip firewall nat
add chain=srcnat src-address=192.168.12.0/24 action=src-nat
to-addresses=10.90.0.100 to-ports=0-65535 comment="" disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=25
action=dst-nat to-addresses=192.168.12.1 to-ports=25 comment="" disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=3389
action=dst-nat to-addresses=192.168.12.1 to-ports=3389 comment=""
disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=500
action=dst-nat to-addresses=192.168.12.1 to-ports=500 comment="" disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=4125
action=dst-nat to-addresses=192.168.12.1 to-ports=4125 comment=""
disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=1701
action=dst-nat to-addresses=192.168.12.1 to-ports=1701 comment=""
disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=80
action=dst-nat to-addresses=192.168.12.1 to-ports=80 comment="" disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=444
action=dst-nat to-addresses=192.168.12.1 to-ports=444 comment="" disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=443
action=dst-nat to-addresses=192.168.12.1 to-ports=443 comment="" disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=1723
action=dst-nat to-addresses=192.168.12.1 to-ports=1723 comment=""
disabled=no

thanks
DEH

galaxynet · March 3, 2007, 2:12pm

deh384 -
Just at first glance it looks like you are using the same IP address for both your private server and all of you other machines behind the MT.

The more correct way to do this would be to choose one IP for the server and dst-nat whatever ports you want to it, drop the rest. Src-nat the server to the same IP.

For the other machines a simple src-nat with a different IP address than the server above will do the trick. You won’t be able to dst-nat to those machines - typically you don’t want to anyway. But if you do, you’ll have to do the same thing unless there are some very specific ports on different machines you want to be able to reach from outside…

I know this isn’t a complete answer but you look like you know something about MT products so this should point you in the right direction.

Thom