Hello guys,
I’m having trouble with trying to NAT traffic. Basically we’re setting up a totally isolated environment for an upcoming upgrade since we can’t push the update to our live servers without testing the impact on customers end CPE’s. So we added a new mikrotik router, cisco switch and new servers (All totally isolated from everything). The IP’s on the test servers match up to the production servers. → This is important later on.
We want the person with the remote connection via l2tp to have access to the servers but not on their production IP!
So we want to NAT all traffic coming from 10.0.0.2(the vpn client) going to 10.10.10.2(fake new ip) to be actually going to 172.16.100.2(real ip in prod and testing). BUT the client cannot have access to 172.16.100.2 directly from 10.0.0.2. - He can only hop from 10.0.0.2 to → 10.10.10.2.
So basically how we expect the flow to go:
The engineer that types 10.10.10.2 → will actually go to 172.16.100.2. He cannot access the network directly from the vpn though!
I created a NAT rule to make that happen which works fine:
ip firewall/nat/print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=dstnat action=dst-nat to-addresses=172.16.100.2
src-address=10.0.0.0/25 dst-address=10.10.10.2 log=no log-prefix=""
But whenever I create a firewall rule to drop traffic from src-address: 10.0.0.0/24 to dst-address: 172.16.100.0/28 the pings to 10.10.10.2 stop working.
What am I missing and how could I accomplish this?
Best regards and thank you for trying to help in advance!
