Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
baqir303
New Contributor

Fortigate behind the NAT and IPsec Remote Access VPN

Hi friends,

I have a scenario where one Fortigate firewall in behind the NAT, means Its WAN interface has private IP which is then NATed with some higher level network device to one Public IP, from internet using the Public IP I can access firewall web interface, but when I configure an IPSec remote access VPN, and try to connect with forticlient VPN and using the firewall's public IP, forticlient is not able to connect with firewall. I have tried from windows and android but same problem, if some one have any idea for solving this issue then kindly guide me.

Thanks

2 Solutions
enya90
New Contributor

greetings

                    did you check UDP port is  4500 ? 

 

View solution in original post

sw2090
Honored Contributor

You have to forward 500/UDP (IPSec) and 4500/UDP (NAT-Traversal) from top down.

that means the route with the public ip has to forward that to the private IP of your FGt (or the next hop between FGT and itself), so a connect to 500/UDP or 4500/UDP on the publlic ip can reach your FGT.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

3 REPLIES 3
enya90
New Contributor

greetings

                    did you check UDP port is  4500 ? 

 

View solution in original post

baqir303

Thanks for your response, kindly explain about udp 4500 port, where should it be allowed in my scenario when I connect my laptop with external switch and try to connect with the private IP, it connect successfully, but when I try to connect with public IP through the internet it fails, so should I check this port on the device which is performing Nating?
sw2090
Honored Contributor

You have to forward 500/UDP (IPSec) and 4500/UDP (NAT-Traversal) from top down.

that means the route with the public ip has to forward that to the private IP of your FGt (or the next hop between FGT and itself), so a connect to 500/UDP or 4500/UDP on the publlic ip can reach your FGT.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post