Mon Apr 17, 2017 8:24 am
Well I got it working, simple error the dst-nat was receiving from the wrong destination port.
Here is the config well the relevant sections. (section) in brackets is a change for obvious reasons.
Remote site with dynamic IP.
/ip pool
add name=Cisco_Lab_DHCP_Pool ranges=192.168.6.100-192.168.6.200
/ip dhcp-server
add address-pool=Cisco_Lab_DHCP_Pool disabled=no interface=bridge-vlan60 name=Cisco_Lab_DHCP
/interface bridge port
add bridge=bridge-vlan60 interface=ether1
/ip address
add address=192.168.6.254/24 interface=bridge-vlan60 network=192.168.6.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=wlan1
/ip dhcp-server network
add address=192.168.6.0/24 gateway=192.168.6.254
/ip firewall filter
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=192.168.6.0/24
add action=accept chain=forward dst-address=192.168.6.0/24 src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.6.254 src-address=192.168.6.1
add action=accept chain=forward disabled=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.6.0/24
add action=masquerade chain=srcnat out-interface=wlan1
/ip ipsec peer
add address=(static IP target at home)/32 enc-algorithm=aes-256 hash-algorithm=sha512 nat-traversal=no secret="(password)"
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=(static IP target at home) sa-src-address=0.0.0.0 src-address=192.168.6.0/24 tunnel=yes
/system identity
set name=Cisco_Lab
/system scheduler
add interval=1m name="1min Ping" on-event=(name) policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/31/2016 start-time=07:58:13
/system script
add name=(name) owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":put [ping 192.168.1.254 src-address=192.168.6.254 count=2]
Home address with static IP
/ip address
add address=192.168.1.254/24 interface=bridge2 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.254 netmask=24
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.6.0/24 src-address=192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.4.0/24 src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Port Translation for Work Cisco SSH" dst-port=(an external port) in-interface=ether1 protocol=tcp to-addresses=192.168.6.1 to-ports=22
add action=src-nat chain=srcnat dst-address=192.168.6.1 dst-port=22 protocol=tcp to-addresses=192.168.1.254 to-ports=22
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256 generate-policy=port-strict hash-algorithm=sha512 local-address=(my local WAN IP static) nat-traversal=no secret="(password)"