Skip to main content
wrlangston
wrlangston
New Member
October 3, 2025
Solved

How do I avoid double NAT in this situation?

  • October 3, 2025
  • 1 reply
  • 763 views

I have an upcoming job where I’ll be installing and configuring a FortiGate to serve as the edge router at a facility currently running an all-Cisco internal network (from a previous contractor). The long-term plan is to replace all Cisco devices with Fortinet gear, but to avoid downtime, the Cisco network will continue operating through the FortiGate for now.
Currently, a Meraki MX400 is acting as the edge router. Since we’re unsure of its configuration and I haven’t worked with one before, we don’t want to remove it yet. Instead, the MX400 will connect to the FortiGate, which will then connect to the ISP. We’ll begin building the new network off the FortiGate while keeping the existing Cisco network running through the MX400.
The MX400 already performs NAT, so I want to avoid double NAT on the FortiGate. Would the correct approach be to create a firewall policy on the FortiGate for the interface handling Cisco traffic and simply disable NAT? 

Best answer by funkylicious

hi,

in the situation you are describing with the FortiGate between the ISP and Meraki, you have 2 options in my opinion:

- the FGT takes the ISP IP / GW on the WAN side which connects to the Meraki ( totally transparent on the Meraki side ) , which would require your ISP to provide and configure another public subnet on it, connect the ISP router and configure on FGT and you dont enable NAT for the traffic between these interfaces; 

- you insert the FGT between the devices and create virtual wire pairs of the interfaces that connects to Meraki and ISP 

1 reply

funkylicious
SuperUser
funkyliciousAnswer
SuperUser
October 3, 2025

hi,

in the situation you are describing with the FortiGate between the ISP and Meraki, you have 2 options in my opinion:

- the FGT takes the ISP IP / GW on the WAN side which connects to the Meraki ( totally transparent on the Meraki side ) , which would require your ISP to provide and configure another public subnet on it, connect the ISP router and configure on FGT and you dont enable NAT for the traffic between these interfaces; 

- you insert the FGT between the devices and create virtual wire pairs of the interfaces that connects to Meraki and ISP 

"jack of all trades, master of none"
wrlangston
wrlangstonAuthor
New Member
October 3, 2025

Can you elaborate the virtual wire pair option a little more? I considered that as an option but I'm just not super familiar with how it works.

 

Thanks

funkylicious
SuperUser
funkylicious
SuperUser
October 3, 2025

you can read more about it here, https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/166804/virtual-wire-pair 

"jack of all trades, master of none"
Terms & ConditionsAccessibility statement