Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gaia45
New Contributor II

Double NAT behind VPN client

Hi,

 

We have a Fortigate which act as router/firewall to protect/split our different networks. It is also used as the Internet Gateway.

Our VPN clients are connected through Cisco AnyConnect Platform, getting RFC1918 IP. These IP are NATed (other RFC1918) in output from VPN plateform for mandatory reasons. NATed address are known from Fortigate and VPN client can reach servers hosted by Fortigate by this way.

 

However, VPN clients have to go to Internet too. So their NATed address is reNATed with a public address to go on Internet.

 

VPN client (10.0.0.1) => NATed on 192.168.1.1 by VPN plateform => Fortigate => NAted on public address by Fortigate

 

 

It works for almost cases except for video/audio on particular visio services...

 

VPN client must have a 10.0.0.X address and MUST be NATed to go to Fortigate Networks. What other solution could be used ? Is this "double NAT" correct ? Maybe some parameters to set for keep audio/video (UDP ?) working ?

 

Regards,

3 REPLIES 3
gaia45
New Contributor II

Trying to be more explicit :

 

Client connect to VPN, get 10.0.0.1 = mandatory

Client is NATed on VPN plateform with 192.168.1.1 to reach Fortigate Networks = mandatory

Client should go to Internet = must be reNATed with public address on Fortigate

 

Client is NATed "twice".

 

Works for almost all, except visio audio/video flow (udp ?)

 

What could be wrong ? What can be done ?

gaia45
New Contributor II

No one has the same problem ?

Does anyone have to "double nat" to go on Internet ?

Dhruvin_patel

Greetings!

 

There wouldn't be any problem with double NAT.

 

Verify on FortiGate that the NAT rules for VPN clients going to the internet are properly configured to translate their addresses to public IPs.

 

Review firewall rules on the FortiGate to confirm that they allow necessary UDP traffic for the audio/video services used by the VPN clients(NATed source IP).

 

Regards!

Dhruvin Patel
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors