ROS RC12 NAT problem

gcser · April 6, 2013, 6:43pm

Hi Folks,

I have the following config:
Private net 1: 10.10.11.0/24
Private net 2: 10.10.10.0/24
Private net 3: 192.168.206.0/24

Private net 2 and 3 connected by IPSEC. Net 1 and net 2 is connected by PPTP. On net 2 router there is an src-nat rule: if src address is 10.10.11.0/24 then src-nat to 10.10.10.253.

I would like to reach the 206.0 net from Net 1. (On net 1 router there is a routing rule: 192.168.206.0/24 is reachable by 10.10.10.1 (lan2) ).

My problem: ping works fine (if I log the router in net 2, I can see that the nat works well). But if I would like to reach some service e.g. with my browser in net 3, I get a timeout. If I log the traffic on port 80 in net 2, I cannot see any natting. Only the icmp is natted. I have no exception rule in net 2. Any idea?

joshaven · April 6, 2013, 6:58pm

Traceroute from both ends. Check your routes from every device.

It’s possible that the device on the far end of the VPN is following a default route to the public internet rather then using the VPN tunnel to contact the remote private subnet.

gcser · April 7, 2013, 7:52am

The strange thing, that the ping works well. If the far end has some routing problem, ping wouldn’t work.

I have the feeling, that the rc12 has some bug. I have 4 log rule at the beginning of the forward chain: 1. icmp to the other end, 2. icmp from the other end, 3. dst port 80 to the other end, 4. src port 80 from the other end. My log is attached. As shown in the “log.jpg”, the icmp traffic to the same ip (192.168.206.9) is natted, the web traffic is not. Miss I something?

joshaven · April 7, 2013, 11:57am

Can you include your NAT config.

Go to: /ip firewall nat
And run: export compact

gcser · April 7, 2013, 12:15pm

My NAT rules are very complex, the important rule is here (this rule is at the top of the rule set):

add action=src-nat chain=srcnat
dst-address-list=NONAT_ADDRESSES src-address=10.10.11.0/24
to-addresses=10.10.10.253

dst address list with name “NONAT_ADDRESSES” contains:
add address=192.168.206.0/24 list=NONAT_ADDRESSES

Once again: the strange thing, that the icmp is natted, the tcp traffic is not…

joshaven · April 7, 2013, 12:53pm

I’m sorry, I was hoping that seeing your NAT rules would help things make since. I am a bit confused about what your trying to accomplish. I can’t see any reason that ICMP would work and other traffic wouldn’t. However I must admit that I have a less then adaquate understanding of your setup.

gcser · April 7, 2013, 1:01pm

Sorry about it, but this is a core router of many companies, I’m not allowed to put the whole config to here… Tomorrow I build up a test environment with 3 routers, set up just these rules for this situation, and I will test it. I will be back with my experiences.

gcser · April 15, 2013, 2:47pm

Hi,

It was my mistake . In the forward chain there was a filter rule Sorry