Community discussions

MikroTik App
 
emammadov
just joined
Topic Author
Posts: 10
Joined: Mon Feb 05, 2018 8:10 am

One to One NAT

Mon Apr 25, 2022 12:36 pm

Hello,

We have this scenario, that we want to establish an IPsec connection, but our internet subnet is also same on the opposite site (e.g 192.168.0.0/24). Unfortunately we can't change our subnet.
I have seen in other routers that you create a virtual subnet, and the incoming traffic is forwarded to internal subnet. Is it possible in Mikrotik? (e .g 192.168.11.0/24 --> 192.168.0.0/24).
And also opposite site in IPsec see the traffic coming from 192.168.11.0/24 instead of 192.168.0.0/24.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: One to One NAT

Mon Apr 25, 2022 5:55 pm

If you control both ends, you can say that virtual network for your side is 192.168.11.0/24 and remote is 192.168.12.0/24, then on your router do this:
/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.12.0/24 action=netmap to-addresses=192.168.11.0/24
add chain=dstnat src-address=192.168.12.0/24 dst-address=192.168.11.0/24 action=netmap to-addresses=192.168.0.0/24
And opposite (swap 11 and 12) on the remote one. In case you can't do anything with remote side, it's probably still possible, but slightly more difficult.
 
emammadov
just joined
Topic Author
Posts: 10
Joined: Mon Feb 05, 2018 8:10 am

Re: One to One NAT

Mon Apr 25, 2022 6:27 pm

Thank you for your reply. The remote doesn't want to create a Virtual Network. Is it okay to do it only on our side?

add chain=srcnat src-address=192.168.0.0/24 dst-address=10.200.120.0/24 action=netmap to-addresses=192.168.11.0/24

The map is as following:

Our Company
Local Network: 192.168.0.0/24

Remote Company
Local Network: 10.200.120.0/24
DMZ Network: 192.168.0.0/24

The IPsec VPN should be established between Local Networks. Since the Remote company has also the same subnet in the their Router, they asked us to use a Virtual Network for VPN.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: One to One NAT

Mon Apr 25, 2022 7:17 pm

If you don't need to communicate with remote 192.168.0.0/24, then it's easy, you can forget that it's there. Just replace 192.168.12.0/24 in my example with 10.200.120.0/24 (you need both rules) and create policy for 192.168.11.0/24 <-> 10.200.120.0/24.

Who is online

Users browsing this forum: Google [Bot], nichky, nickhoulton, onnyloh, outtahere and 59 guests