Hello we have changed our network diagram, from:
ISP–>Public IP (CCR1036)–>bridge wireless–>bridge wireless–>CPE (SXT)
On CCR1036
/ip firewall nat add chain=dstnat dst-address=85.85.11.0 ation=netmap to-addresses=2.2.2.0
/ip firewall nat add chain=srcnat src-address=2.2.2.0 action=netmap to-addresses=85.85.11.0
where 85.85.11.0 is public IP and 2.2.2.0 is CPE wlan1 IP
On CPE
/ip firewall nat add chain=dstnat dst-address=2.2.2.0 ation=netmap to-addresses=192.168.1.254
/ip firewall nat add chain=srcnat src-address=192.168.1.254 action=netmap to-addresses=2.2.2.0
where 192.168.1.254 is statis IP of Cisco device
in this case all works fine and VPN site to site IPSEC works correctly.
We need to routed CPE network so we have changed the configuration to:
ISP–>Public IP (CCR1036)–>bridge wireless–>bridge wireless–>AP routed–>CPE
On CCR1036 all It’s the same
but now 2.2.2.0 is the IP address of AP gateway interface:
On AP routed (IP address 2.2.2.0/24 gateway interface and 10.10.10.254/24 wlan2 AP interface)
AP nat setting
/ip firewall nat add chain=dstnat dst-address=2.2.2.0 ation=netmap to-addresses=10.10.10.1
/ip firewall nat add chain=srcnat src-address=10.10.10.1 action=netmap to-addresses=2.2.2.0
where 10.10.10.1 is IP address of wlan1 CPE interface
CPE nat setting
/ip firewall nat add chain=dstnat dst-address=10.10.10.1 ation=netmap to-addresses=192.168.1.254
/ip firewall nat add chain=srcnat src-address=192.168.1.254 action=netmap to-addresses=10.10.10.1
where 192.168.1.254 is statis IP of Cisco device
now Cisco VPN site to site IPSEC doesn’t work, any advice?
cetalfio