Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Double NAT?

Hi all,


I have the following design in which users with mobile devices have to access the server going through the fgt interface. I used to use VIP for such kind of publishing behind one fortigate but in this situation with two fortigates, I am a little bit confused, do I have to do double nat? how?


Can any one help please?





principally, you can use routing or NAT to let traffic in through a firewall.

The main advantage of NAT is that the destination address is concealed; your external user will never know it's real (private) address. Besides, you would not be able to access a private address from the internet.

So, for the gateway firewall, DNAT using a VIP is mandatory. For the second FGT you can use routing or NAT.

A second VIP is a bit more effort than setting up a static route, so I'd go with routing.


On FGT1 (WAN facing), create a VIP for the final private address of your server (192.168.x.y). Additionally, you have to create a static route on this FGT to point to FGT2 (internal), with gateway address being the WAN interface of FGT2. Otherwise, FGT1 wouldn't know where to send the traffic.

As now the incoming traffic on FGT2 has a source address from the WAN (it's unchanged by DNAT), FGT2's default route is used to route the reply traffic. This is most probably already in place.

On egress, FGT1 will additionally exchange the private source address of the server's reply to the public address stated in the VIP. This is done automatically in newer releases of FortiOS.



"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"

Basically this is a routing question.


- Mobile device don't have an interface for so will forward via default route which I suppose goes to router. 

- Router don't have an interface for so will forward via defáult route unless it has a static route to


So you probably don't have to change anything on your router but the external Firewall should have a route to pointing to your internal one. Internal Firewall would either have to do snat or have a route back to the external firewall. So packes can go back and forth.


Diag debug flow on FGT cli might show you where you packets go and if there is an answer.


"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
New Contributor II

Thank you guys,


It is working well. Your advises helped a lot 

Top Kudoed Authors