cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1256
Views
0
Helpful
3
Replies

Migrating NAT from mikrotik

am1r007
Level 1
Level 1

Hi,

I want to migrate my mikrotik to ISR4321, I stuck on this mikrotik NAT command:
/ip firewall address-list
add address=172.15.21.0/24 list=src-255.254
add address=10.0.255.0/24 list=src-255.254
add address=192.168.155.0/24 list=src-255.254
/ip firewall nat
add action=src-nat chain=srcnat dst-address-list=src-255.254 to-addresses=192.168.255.254

The goal is, traffik to address-list==src-255.254 considered from 192.168.255.254

How is ISR4321 command for that mikrotik command?
Thanks

3 Replies 3

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

I've taken a guess at your ISR interface configs, but if I understand the microtek syntax correctly, the IOS commands would be:

!
int gi0/0
  ip address 192.168.255.254 255.255.255.248
  ip nat outside
!
int gi0/1
  ip nat inside
!
access-list 100 permit 10.0.255.0 0.0.0.255 any
access-list 100 permit 172.15.21.0 0.0.0.255 any
access-list 100 permit 192.168.255.0 0.0.0.255 any
!
ip nat inside source 100 interface int gi0/0 overload
!

cheers,

Seb.

Thank for your reply,
Our topology is like the picture. On our existing configuration with mikrotik, all LAN servers(192.168.255.0/24) can connect to all client servers with above NAT rule, originated from ip 192.168.255.254 which is gateway for 192.168.255.0/24. So all client servers only white list one IP, 192.168.255.254.

Thanks

Hello,

 

based on your topology picture. I would configure the below. The static routes might be needed or not, since I don't know what kind of routing you already have in place:

 

ISR4321 (My router)

 

interface GigabitEthernet0/0
description To Client Servers
ip address 10.2.255.1 255.255.255.252
ip nat outside
!
interface GigabitEthernet0/1
description To LAN Servers
ip address 192.168.255.254 255.255.255.0
ip nat inside
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
!
access-list 101 permit 192.168.255.0 0.0.0.255 10.0.255.0 0.0.0.255
access-list 101 permit 192.168.255.0 0.0.0.255 172.15.21.0 0.0.0.255
access-list 101 permit 192.168.255.0 0.0.0.255 192.168.155.0 0.0.0.255
!
ip route 10.0.255.0 255.255.255.0 10.0.255.2
ip route 172.15.21.0 255.255.255.0 10.0.255.2
ip route 192.168.155.0 255.255.255.0 10.0.255.2

Review Cisco Networking for a $25 gift card