Community discussions

 
RalfG
just joined
Topic Author
Posts: 7
Joined: Thu Feb 21, 2019 10:42 am

Nice way to do NAT/masquerading before entering VPN

Tue Aug 13, 2019 1:55 pm

Hi,

how can I achieve it in an elegant way to nat before packets are entering the ipsecv2 vpn:

Site1:
client in Site 1 internal network: a.a.a.1/24
mtk: a.a.a.10/24, a.a.a.11/24, a.a.a.12/24 (and so on mtk should use up to 70 addresses)

Site2:
server in Site2 internal network b.b.b.1/24, b.b.b.2/24 .....

packets originating from client a.a.a.1 to dest a.a.a.10 should be redirected to b.b.b.1 with a source of a.a.a.10
packets originating from client a.a.a.1 to dest a.a.a.11 should be redirected to b.b.b.1with a soruce of a.a.a.11

packets originating from server b.b.b.1 to client a.a.a.1 shoud be masqueraded with one of the mtk source addresses, e.g. a.a.a.70

the cisco way it was like:
interface Vlan1
description LAN Interface1
ip address a.a.a.70.250 255.255.255.0
ip nat outside
ip virtual-reassembly
ip nat inside source static b.b.b.1 a.a.a.10 route-map myroutemap

any idea how to get there with a RB4011?

thx in advance,

Ralf.
 
RalfG
just joined
Topic Author
Posts: 7
Joined: Thu Feb 21, 2019 10:42 am

Re: Nice way to do NAT/masquerading before entering VPN

Wed Aug 14, 2019 3:43 pm

nobody to help a bit?
 
Sob
Forum Guru
Forum Guru
Posts: 4411
Joined: Mon Apr 20, 2009 9:11 pm

Re: Nice way to do NAT/masquerading before entering VPN

Wed Aug 14, 2019 5:47 pm

I'm not familiar with Cisco, but based on the decription, this could be what you want:
/ip firewall mangle
add action=jump chain=prerouting connection-state=new src-address=a.a.a.1 dst-address=a.a.a.10-a.a.a.X jump-target=vpnconnmarking
add action=mark-connection chain=vpnconnmarking dst-address=a.a.a.10 new-connection-mark=vpnconn10
add action=mark-connection chain=vpnconnmarking dst-address=a.a.a.11 new-connection-mark=vpnconn11
...
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=a.a.a.10-a.a.a.X to-addresses=b.b.b.1
add action=jump chain=srcnat connection-mark=!no-mark jump-target=myvpnnat
add action=src-nat chain=myvpnnat connection-mark=vpnconn10 to-addresses=a.a.a.10
add action=src-nat chain=myvpnnat connection-mark=vpnconn11 to-addresses=a.a.a.11
...
Jumps to different chains are meant to optimize things, to prevent every new connection to other addresses from having to go through all 2 * 70 rules.

And connections from b.b.b.1 to a.a.a.1 need only simple:
/ip firewall nat
add action=dst-nat chain=dstnat src-address=b.b.b.1 dst-address=a.a.a.1 to-addresses=a.a.a.70
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
RalfG
just joined
Topic Author
Posts: 7
Joined: Thu Feb 21, 2019 10:42 am

Re: Nice way to do NAT/masquerading before entering VPN

Mon Aug 19, 2019 5:49 pm

thx sob, will give it a try in my lab.

Ralf.
 
RalfG
just joined
Topic Author
Posts: 7
Joined: Thu Feb 21, 2019 10:42 am

Re: Nice way to do NAT/masquerading before entering VPN

Tue Aug 20, 2019 1:28 pm

sob,
it worked (after deleting my previous raw notrack prerouting rules for vpn traffic)!!
thx a lot!

Ralf.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 52 guests