Community discussions

 
jml
newbie
Topic Author
Posts: 39
Joined: Wed May 15, 2013 3:22 am

Help with NATed VPN Config

Fri Jan 24, 2014 4:40 am

Hi,
I'm translating a VPN config from Cisco to Mikrotik.
This VPN setup is a little different in that the LAN IPs need to be NATed to a specific IP range for the VPN tunnel.
I was looking for a little help on setting that part up properly.

The LAN IP range is 192.168.1.0/24
The valid VPN range is 172.16.169.0/24
The far side VPN range is 192.168.5.96/27

This is what I have for firewall rules:

/ip firewall nat
add chain=srcnat dst-address=192.168.5.96/27 src-address=172.16.169.0/24
add action=src-nat chain=srcnat dst-address=192.168.5.96/27 src-address=\
192.168.1.0/24 to-addresses=172.16.169.2-172.16.169.254
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway src-address=192.168.1.0/24 to-addresses=\
0.0.0.0

I've also defined a bridge with no ports for the 172.16.169.x network:

/interface bridge
add name=loopbridge
/ip address
add address=172.16.169.1/24 interface=loopbridge network=172.16.169.0

Is this correct at all?

Thanks.

-- James
 
User avatar
rickfrey
Trainer
Trainer
Posts: 610
Joined: Sun Feb 14, 2010 11:41 pm
Location: Van, Texas
Contact:

Re: Help with NATed VPN Config

Fri Jan 24, 2014 10:09 am

Hi James,
You lost me with the bridge settings. There was not enough detail to understand how it fits in, but here is the answer to the NAT problem:


LAN1 Subnet-----NAT--------------Tunnel--------------NAT-------LAN2 Subnet
or or
Subnet presented to other side Subnet presented to other side

Depending on the tunnel and the purpose you may have to source NAT both sides from one LAN to the other (i.e IPSEC). The tunnel IPs, probably do not figure into the NAT equation, they would be used for routing. It sounds like you are trying to bridge the tunnel in though. The NAT will take place from LAN1 to LAN2. I would recommend not NAT'ing the whole range, but instead NAT a single IP to a single IP. This will ensure that its the same IP each time and will also help tremendously in troubleshooting. One last thought, depending on which type of tunnel you are using the IP addresses may need to reside on the router and not on the host. Since the config is just one side of the middle, I'm not really sure if that applies to you or not. Hope that helps.
Launch your company forward with professional training!
http://rickfreyconsulting.com/product-c ... raining-2/
 
jml
newbie
Topic Author
Posts: 39
Joined: Wed May 15, 2013 3:22 am

Re: Help with NATed VPN Config

Fri Jan 24, 2014 7:48 pm

I'm sorry I wasn't that clear.
I do not control the far side of the VPN connection. It is fixed at 192.168.5.96/27 as the network that is presented.
They require that IPs on my side are 172.16.169.0/24 for communicating across the VPN.
The actual client's LAN is 192.168.1.0/24 and it cannot be re-IPed at this time.
So, to communicate across the VPN I need to NAT the 192.168.1.x to 172.16.169.x first and then send it across the VPN to 192.168.5.96/27 hosts.

I hope this makes it a bit more clear...
 
jml
newbie
Topic Author
Posts: 39
Joined: Wed May 15, 2013 3:22 am

Re: Help with NATed VPN Config

Fri Jan 24, 2014 8:43 pm

Here are the relevant parts of the Cisco config I need to translate to Mikrotik:

crypto isakmp policy 5
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxxx address yyy.yyy.yyy.yyy
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!
crypto map PSM2 20 ipsec-isakmp
set peer yyy.yyy.yyy.yyy
set transform-set ESP-AES-128-SHA
set pfs group2
match address 101

interface Loopback1
ip address 172.16.169.1 255.255.255.0
ip nat outside
!
interface Ethernet0
ip address zzz.zzz.zzz.zzz 255.255.255.252
ip nat outside
crypto map PSM2

interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed 100

ip nat pool PSMVPN 172.16.169.1 172.16.169.127 netmask 255.255.255.0
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source route-map nonat interface Ethernet0 overload
ip nat inside source route-map vpnnat pool PSMVPN overload

access-list 1 deny any
access-list 101 permit ip 172.16.169.0 0.0.0.255 192.168.5.96 0.0.0.31
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.5.96 0.0.0.31
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.5.96 0.0.0.31

route-map vpnnat permit 10
match ip address 111
!
route-map nonat permit 10
match ip address 110

Who is online

Users browsing this forum: No registered users and 92 guests