Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mehdi_ouazaa
New Contributor II

Double NAT?

Hi all,

 

I have the following design in which users with mobile devices have to access the 192.168.11.173 server going through the 172.16.17.1 fgt interface. I used to use VIP for such kind of publishing behind one fortigate but in this situation with two fortigates, I am a little bit confused, do I have to do double nat? how?

 

Can any one help please?

 

3 REPLIES 3
ede_pfau
SuperUser
SuperUser

hi,

 

principally, you can use routing or NAT to let traffic in through a firewall.

The main advantage of NAT is that the destination address is concealed; your external user will never know it's real (private) address. Besides, you would not be able to access a private address from the internet.

So, for the gateway firewall, DNAT using a VIP is mandatory. For the second FGT you can use routing or NAT.

A second VIP is a bit more effort than setting up a static route, so I'd go with routing.

 

On FGT1 (WAN facing), create a VIP for the final private address of your server (192.168.x.y). Additionally, you have to create a static route on this FGT to point to FGT2 (internal), with gateway address being the WAN interface of FGT2. Otherwise, FGT1 wouldn't know where to send the traffic.

As now the incoming traffic on FGT2 has a source address from the WAN (it's unchanged by DNAT), FGT2's default route is used to route the reply traffic. This is most probably already in place.

On egress, FGT1 will additionally exchange the private source address of the server's reply to the public address stated in the VIP. This is done automatically in newer releases of FortiOS.

 

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
sw2090
SuperUser
SuperUser

Basically this is a routing question.

 

- Mobile device don't have an interface for 192.168.11.0/24 so will forward via default route which I suppose goes to router. 

- Router don't have an interface for 192.168.11.0/24 so will forward via defáult route unless it has a static route to 192.168.11.0/24

 

So you probably don't have to change anything on your router but the external Firewall should have a route to 192.168.11.0/24 pointing to your internal one. Internal Firewall would either have to do snat or have a route back to the external firewall. So packes can go back and forth.

 

Diag debug flow on FGT cli might show you where you packets go and if there is an answer.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
mehdi_ouazaa
New Contributor II

Thank you guys,

 

It is working well. Your advises helped a lot 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors