My first post here, so please don’t chew me up 
Here is the scenario I am working with.
Mikrotik Box:
-Ether 1 Public IP 207.xx.xx.56 SN:255.255.255.192 GW:207.xx.xx.62
-Ether 2 Private IP 10.5.50.1
I need to figure out how to pass a local address from the 207 class to clients connected to Ether2 so that they can remote manage thier systems
The 207/26 class in managed by my cisco3640
I hope that I was clear enough.
–edit–
Authentication is being handled via FreeRadius/MySql
Well lets see, this is a tough one.
My suggestion is to look at bridging the two interfaces and maybe useing PPPoE to hand out some static publis addresses. It might work, but I am new to PPPoE. Can anyone tell either of us what the pros/cons of a PPPoE session are as compared to PPP.
Newb question:
If I am being authenticated via radius, how is that different from PPPoE?
I hope the first part help you out.
Signed,
Daiceman’s split presonality
PPPoE or PPTP would work. both allowing you to create tunnels to an endpoint, so as long as your client can get to your endpoint you can assign them any ip address you’d like (whether you network is bridged or routed).
RADIUS allows you to manage users from a central location (server) and grant them access to services such as PPP, PPTP, PPPoE.
both layer 2 protocols encapsulate packets and have methods of encryption, and compression..
EDIT sorry PPPoE doesn’t offer encryption.. that’s one of the advantages to using PPTP over PPPoE. Also, when using PPTP the device you have as the endpoint will require more CPU power as it has to encode/decode packets.
Any other ideas for me?
dst-nat?
Here is what I am looking for:
All the periods are for formating purposes.
…/ DHCP Pool 10.0.5.0/24
…/
Cisco 3640 Eth0 207.75.xx.62 ----- 207.75.xx.60 Eth0 Mikrotik Eth1-
…
…\ 207.75.xx.50 End user
Being able to run dhcp and able to provide a public address within the same subnet as Mikrotik Eth0 on Eth1
Do src-nat and dst-nat..
Just add user address in src-nat:
ip firewall src-nat
src-address=10.0.5.x/32 action=nat to-src-address=207.75.xx.50
now
ip firewall dst-nat
dst-address=207.75.xx.50/32 action=nat to-dst-address=10.0.5.x
Like this your client would have public ip address.
Cheers…
It is not working. I am still getting the MT base IP Address
You’re still going to get a Private IP addres 10.xx.xx.xx.. what you need to do is setup 1-to-1 NAT so that the MT maps a public IP address to one of your private IPs. You’ll also want to setup a reservation for the users that require static public IPs in the DHCP server so they get the same IP address everytime. The solution posted earlier with the src/dst-nat will work. I didn’t look over the exact syntax, but essentially that is what you need to do. Check the manual for more examples.
Right, the pc still has the private ip, but when I do to a page that will show me what the world sees, my IP is that of the MT router interface. Not the one that I am trying to nat thru. The pages that I am using to lookup my IP are http://www.ipchicken.com and iceman.30below.com.
Do I need to add the public IP that I want nated thru to the public interface on the MT?
Update:
I can ping my public nated pc from outside the MT. This is good - remote access is possible
But, when I get a report of the IP that I am using, it is still showing 207.75.xx.60 and not 207.75.xx.55. the 55 is the one I am nating thru.
If I look at the nat rules. my src nat is showing no packets or bytes. and the dst nat rule is showing packet and byte count.
Yeah double check your src-nat rules… they should look similar to this
0 ;;; SRC-NAT
src-address=[private_IP/32] action=nat to-src-address=[Public_IP]
Also, yes you will have to add the public IP addresses to the WAN interface. of the device doing NAT.
OK here is my config.
/ ip firewall src-nat
add src-address=10.0.4.11/32 action=nat to-src-address=207.75.xx.55 comment=“Static for Goomba” disabled=no
/ ip firewall dst-nat
add dst-address=207.75.xx.55/32 action=nat to-dst-address=10.0.4.11 comment=“Static for Goomba” disabled=no
/ ip address
add address=207.75.xx.60/26 network=207.75.xx.0 broadcast=207.75.xx.63 interface=internet comment=“added by setup” disabled=no
add address=10.0.4.1/23 network=10.0.4.0 broadcast=10.0.5.255 interface=hotspot comment=“hotspot network” disabled=no
add address=207.75.xx.55/26 network=207.75.xx.0 broadcast=207.75.xx.63 interface=internet comment=“Public for Goomba” disabled=no
looks fine… I don’t know if i mentioned it before, but you’re going to want to create a reservation for that private address on your DHCP server (unless you’re using static IP’s) so that particular user gets the same private IP everytime.
yup, it looks good, but it is still reporting the primary interface, the .60.
If my client needs to have a public that works both ways for remote access to his local server and use the same ip to connect to a remote server it is not working as needed.
Edit: the src-nat is not doing its job.
it shouldn’t… have your client reboot his CPE device and then try going to
Http://www.whatismyip.com
Also make sure you clear the cache on the browser…
Well, right now the client is me and the cpe is my laptop sitting next to me. I did reboot it, made sure the connection was cleared in MT and reconnected. Checked with 3 different ip reporting sites to no avail. Still .60 
hrrmm..
I have a buncha clients working right now with no problems.. and your configs look fine..
what comes first on your src-nat rules? put the masquerading rule at the bottom of the list and your src-nat rule at the top.. see if that makes a difference..
I tried moving the rule to the top and no good. Also tried disableing all the other src-nat rules. The only one running is the one I need. Still no good.
I think I will stop the the day. My desk is taking quite a beating from my head.
Hehe, well I think you’re in Twilight Zone 
The example I posted earlier was exactly how it should be…
Just remove
add address=207.75.xx.55/26 network=207.75.xx.0 broadcast=207.75.xx.63 interface=internet comment=“Public for Goomba” disabled=no
Try and let us know what happened 
Cheers…