Skip to main content
gaia45
gaia45
Explorer
January 28, 2025
Question

Double NAT behind VPN client

  • January 28, 2025
  • 3 replies
  • 1214 views

Hi,

 

We have a Fortigate which act as router/firewall to protect/split our different networks. It is also used as the Internet Gateway.

Our VPN clients are connected through Cisco AnyConnect Platform, getting RFC1918 IP. These IP are NATed (other RFC1918) in output from VPN plateform for mandatory reasons. NATed address are known from Fortigate and VPN client can reach servers hosted by Fortigate by this way.

 

However, VPN clients have to go to Internet too. So their NATed address is reNATed with a public address to go on Internet.

 

VPN client (10.0.0.1) => NATed on 192.168.1.1 by VPN plateform => Fortigate => NAted on public address by Fortigate

 

 

It works for almost cases except for video/audio on particular visio services...

 

VPN client must have a 10.0.0.X address and MUST be NATed to go to Fortigate Networks. What other solution could be used ? Is this "double NAT" correct ? Maybe some parameters to set for keep audio/video (UDP ?) working ?

 

Regards,

3 replies

gaia45
gaia45Author
Explorer
January 28, 2025

Trying to be more explicit :

 

Client connect to VPN, get 10.0.0.1 = mandatory

Client is NATed on VPN plateform with 192.168.1.1 to reach Fortigate Networks = mandatory

Client should go to Internet = must be reNATed with public address on Fortigate

 

Client is NATed "twice".

 

Works for almost all, except visio audio/video flow (udp ?)

 

What could be wrong ? What can be done ?

gaia45
gaia45Author
Explorer
February 2, 2025

No one has the same problem ?

Does anyone have to "double nat" to go on Internet ?

Dhruvin_patel
Staff
Dhruvin_patel
Staff
February 2, 2025

Greetings!

 

There wouldn't be any problem with double NAT.

 

Verify on FortiGate that the NAT rules for VPN clients going to the internet are properly configured to translate their addresses to public IPs.

 

Review firewall rules on the FortiGate to confirm that they allow necessary UDP traffic for the audio/video services used by the VPN clients(NATed source IP).

 

Regards!

Terms & ConditionsAccessibility statement