https://live.paloaltonetworks.com/t5/next-generation-firewall/question-regarding-source-nat-in-s2s-vpn/m-p/615182#M4905 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/832439149">@shaq4242</a> ,</P> <P>&nbsp;</P> <P>That is correct.&nbsp; You could even skip the source subnets if you want.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Sat, 26 Oct 2024 14:43:54 GMT TomYoung 2024-10-26T14:43:54Z https://live.paloaltonetworks.com/t5/next-generation-firewall/question-regarding-source-nat-in-s2s-vpn/m-p/615119#M4904 <P>Hi All,</P><P>&nbsp;</P><P>I need to create a S2S Tunnel to a customer. We need to reach 1 Server on their side (e.g. 192.168.100.1). The connection is needed from multiple Hosts from 2 different Subents on our Side (10.0.112.0/21 and 172.18.2.0/24). The customer does not want to allow both subnets instead they want to allow only 1 IP.</P><P>Now my question is: Is it possible to create a NAT Rule to do source NAT (Source Zone LAN, Source Adresses 10.0.150.0/24 and 172.18.2.0/24 --&gt; Destination Zone VPN, Destination Address 192.168.100.1 --&gt; Source Translation Dynamic IP and Port with IP e.g. 172.16.1.1. With that setup the customer only needs to allow the IP 172.16.1.1 inside the tunnel.</P><P>In my understanding this should work since it's the same sceanario as when multiple Hosts are going to the Internet with the same public IP, corect?</P><P>Thank you all!</P> Sat, 26 Oct 2024 11:24:15 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/question-regarding-source-nat-in-s2s-vpn/m-p/615119#M4904 shaq4242 2024-10-26T11:24:15Z https://live.paloaltonetworks.com/t5/next-generation-firewall/question-regarding-source-nat-in-s2s-vpn/m-p/615182#M4905 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/832439149">@shaq4242</a> ,</P> <P>&nbsp;</P> <P>That is correct.&nbsp; You could even skip the source subnets if you want.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Sat, 26 Oct 2024 14:43:54 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/question-regarding-source-nat-in-s2s-vpn/m-p/615182#M4905 TomYoung 2024-10-26T14:43:54Z https://live.paloaltonetworks.com/t5/next-generation-firewall/question-regarding-source-nat-in-s2s-vpn/m-p/1249013#M6736 <P>Did this setup worked?</P> Thu, 26 Feb 2026 01:41:51 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/question-regarding-source-nat-in-s2s-vpn/m-p/1249013#M6736 Glenyvie 2026-02-26T01:41:51Z https://live.paloaltonetworks.com/t5/next-generation-firewall/question-regarding-source-nat-in-s2s-vpn/m-p/1249321#M6747 <P>Yes — you absolutely can SNAT multiple internal subnets to a single IP inside the tunnel so the customer only allows one source IP.</P><P>It works exactly like Internet PAT logic, but inside the IPsec tunnel.</P><P>Additionally, you may create two separate NAT rules and perform static one-to-one NAT instead of dynamic IP and port if preferred.</P><P>Notes:</P><P>• The translated IP address must be included in the Phase 2 proxy IDs (local encryption domain).<BR />• The peer must allow and route the translated IP inside the tunnel.<BR />• The translated IP does not need to be an interface IP, but using a loopback or dedicated NAT IP range is considered best practice for design clarity</P> Tue, 03 Mar 2026 09:19:43 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/question-regarding-source-nat-in-s2s-vpn/m-p/1249321#M6747 abayoumi21 2026-03-03T09:19:43Z