Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

VPN/NAT Scenario Question

I'm working with a remote client - they are replacing a Cisco ASA managed by their ISP with a new Fortigate200E cluster.

The current ASA is on an internet circuit that will also be retired.  We have no access to the Cisco ASA outside of making requests to the third part.


The Fortigate cluster is connected to a new circuit and I have full access to it.


The client has 3 different VPN tunnels to a 3rd party that serve different purposes.  They are direct public-to-public VPNs and no private networks specified.  The 3rd party uses 3 different NATs on the Cisco to access an AS/400 server.  These NATs are accessed through the VPN tunnels and are the same Public IP to same private, with 3 different ports being accessed.


I met with the 3rd party and they can only cutover one of the NATs to the new Fortigate cluster at a time.


The Cisco/ASA is their current default gateway at  They also have a DMZ interface to a 192.168.* network and their internet connection.


What is the best way we can have this coexist for the week that they need to coexist (the change windows for the 3 VPNs are on different days/times over the next week)?


Our current thought is, the fact they are NATs, is actually an advantage -> they all NAT to the same internal IP of, just different TCP ports.  This means they should be able to coexist.  Move each VPN one by one to the Fortinet and each NAT one by one.   Our only concern is the default gateway.


Current plan is to have the third party change the interface IP on the Cisco to .1, and have the Fortigate become the .44 IP/Default Gateway.  This way - all current servers, etc, should still maintain their access and the NATs on the Cisco will continue to work till they are fully cutover to the Fortigate.


Does this make sense?  Is there something I've overlooked?



Esteemed Contributor III

Sounds good from what you stated, just that the client routing has to know the  VPN dst.addr is  to be reached by the FGT cluster




PCNSE NSE StrongSwan
Top Kudoed Authors