How to configure Port forwarding to another firewall behind CGNAT

Forum|Forum|11 months ago
June 16, 2025
2 replies
515 views

I have 2 firewall connecting using site to site dialup vpn because site 2 is behind cgnat.

Now i wanted to configure a port forward to a internal devices behind site 2.

I have configured the VIP and policy at site 1 but its not working, is any step i miss out or any other ways to do it ?

VIP

edit "Test3"
set uuid b7def848-4834-51f0-5298-bafc01a19730
set extip public IP
set mappedip "192.168.2.20"
set extintf "any"
set portforward enable
set extport 34263
set mappedport 3389
next

Firewall policy

edit 17
set name "Test3"
set uuid c8b54f82-4834-51f0-0ccf-a0367faa8ea9
set srcintf "mgmt1"
set dstintf "TO_P"
set action accept
set srcaddr "all"
set dstaddr "Test3"
set schedule "always"
set service "ALL"
set logtraffic all
next

FortiGate

Toshi_Esumi

SuperUser

VPN works because site2 "dials up" to site1. The other way doesn't work because the IP address: 10.64.0.0/10 range IP is not publicly routable. Therefore, VIPs wouldn't work at site2.

Toshi

Ivan-PoonAuthor

New Member

Understand, client had updated the latest setup environment. Suspecting the switch connecting to firewall probably blocking the traffic. Will update once retry again

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded