I am Trying to replace Cisco 2514 and IPCop with MT 2.9.40
This is a server hosting service with a 5mb ISP link and a routed public network via a Cisco 2514.
We have a IPCop to firewall our internal network and our web/email server.
I want to use a single MT to provide the same services.
Current configuration..
--------------
ISP --> | cisco 2514 | public - 10.100.0.254/29
-------------- Default route 10.100.0.248
|
----------- Routed Public Network
| Switch | -> 10 web servers
----------- 10.90.0.126/26
|
| Public address 10.90.0.100
-----------
| IPCop | Public address 10.90.0.100
| | Private NATed Network 192.168.12.254/24
| DSTnat | -> 1 Private web server
| SRCnat | -> 5 Private Desktops
-----------
I am trying to change to a single MT 2.9.40 with 3 interfaces and 2 switches and MT providing the SRCnat and DSTnat.
--------------
ISP --> | MT 2.9.40 | public - 10.100.0.254/29
eth1 -------------- Default route 10.100.0.248
| eth2 |
| ----------- Routed Public Network
| | Switch | -> 10 web servers
| ----------- 10.90.0.126/26
| eth3
-----------
| Switch | Private NATed Network 192.168.12.254/24
| | Public address 10.90.0.100
| | -> 1 Private web server
| | -> 5 Private Desktops
-----------
I can't get dst-nat to work from the public to private networks.
The src-nat works well and with the correct src address.
Please help me.
Configuration is 3 interfaces.
eth1 - public - 10.100.0.254/29
to ISP default route 10.100.0.248
eth2 - routed network from ISP - 10.90.0.126/26
This is where all the servers are connected.
A second address in the interface 10.90.0.100
for the private net nat.
eth3 - privated nat network - 192.168.12.254/24
The private machines are here and 1 private server
-----
/ ip firewall nat
add chain=srcnat src-address=192.168.12.0/24 action=src-nat \
to-addresses=10.90.0.100 to-ports=0-65535 comment="" disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=25 \
action=dst-nat to-addresses=192.168.12.1 to-ports=25 comment="" disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=3389 \
action=dst-nat to-addresses=192.168.12.1 to-ports=3389 comment="" \
disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=500 \
action=dst-nat to-addresses=192.168.12.1 to-ports=500 comment="" disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=4125 \
action=dst-nat to-addresses=192.168.12.1 to-ports=4125 comment="" \
disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=1701 \
action=dst-nat to-addresses=192.168.12.1 to-ports=1701 comment="" \
disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=80 \
action=dst-nat to-addresses=192.168.12.1 to-ports=80 comment="" disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=444 \
action=dst-nat to-addresses=192.168.12.1 to-ports=444 comment="" disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=443 \
action=dst-nat to-addresses=192.168.12.1 to-ports=443 comment="" disabled=no
add chain=dstnat dst-address=10.90.0.100 protocol=tcp dst-port=1723 \
action=dst-nat to-addresses=192.168.12.1 to-ports=1723 comment="" \
disabled=no
------
thanks
DEH