cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1015
Views
0
Helpful
3
Replies

Migrating NAT from mikrotik

am1r007
Level 1
Level 1

Hi,

I want to migrate my mikrotik to ISR4321, I stuck on this mikrotik NAT command:
/ip firewall address-list
add address=172.15.21.0/24 list=src-255.254
add address=10.0.255.0/24 list=src-255.254
add address=192.168.155.0/24 list=src-255.254
/ip firewall nat
add action=src-nat chain=srcnat dst-address-list=src-255.254 to-addresses=192.168.255.254

The goal is, traffik to address-list==src-255.254 considered from 192.168.255.254

How is ISR4321 command for that mikrotik command?
Thanks

3 Replies 3

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

I've taken a guess at your ISR interface configs, but if I understand the microtek syntax correctly, the IOS commands would be:

!
int gi0/0
  ip address 192.168.255.254 255.255.255.248
  ip nat outside
!
int gi0/1
  ip nat inside
!
access-list 100 permit 10.0.255.0 0.0.0.255 any
access-list 100 permit 172.15.21.0 0.0.0.255 any
access-list 100 permit 192.168.255.0 0.0.0.255 any
!
ip nat inside source 100 interface int gi0/0 overload
!

cheers,

Seb.

Thank for your reply,
Our topology is like the picture. On our existing configuration with mikrotik, all LAN servers(192.168.255.0/24) can connect to all client servers with above NAT rule, originated from ip 192.168.255.254 which is gateway for 192.168.255.0/24. So all client servers only white list one IP, 192.168.255.254.

Thanks

Hello,

 

based on your topology picture. I would configure the below. The static routes might be needed or not, since I don't know what kind of routing you already have in place:

 

ISR4321 (My router)

 

interface GigabitEthernet0/0
description To Client Servers
ip address 10.2.255.1 255.255.255.252
ip nat outside
!
interface GigabitEthernet0/1
description To LAN Servers
ip address 192.168.255.254 255.255.255.0
ip nat inside
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
!
access-list 101 permit 192.168.255.0 0.0.0.255 10.0.255.0 0.0.0.255
access-list 101 permit 192.168.255.0 0.0.0.255 172.15.21.0 0.0.0.255
access-list 101 permit 192.168.255.0 0.0.0.255 192.168.155.0 0.0.0.255
!
ip route 10.0.255.0 255.255.255.0 10.0.255.2
ip route 172.15.21.0 255.255.255.0 10.0.255.2
ip route 192.168.155.0 255.255.255.0 10.0.255.2

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco