https://live.paloaltonetworks.com/t5/general-topics/site-2-site-vpn/m-p/162740#M52744 <P>Hello,</P><P>On my tunnels I have the following applications allowed so they are not blocked. I also whitelist the source/destination IP's for my site to site vpns for added protection:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.JPG" style="width: 102px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9872i7C4307C419ACE8C1/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture.JPG" alt="Capture.JPG" /></span></P><P>&nbsp;</P><P>Hope that helps.</P> Thu, 22 Jun 2017 14:14:30 GMT OtakarKlier 2017-06-22T14:14:30Z https://live.paloaltonetworks.com/t5/general-topics/site-2-site-vpn/m-p/162696#M52730 <P>I have an issue where we have ike traffic comeing from the end point which is being allowed but the ipsec-esp is being caught by the deny all rule. The strange thing is that the the rule to allow ike and ipsec-esp is on the same rule.</P><P>&nbsp;</P><P>We do carry out NAT on the public IP for some ports , is this this the issues <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Untitled.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9870i254A21D2DF11F3E7/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Untitled.png" alt="Untitled.png" /></span></P><P>&nbsp;</P><P>Can any one please point me in the right direction</P><P>&nbsp;</P> Thu, 22 Jun 2017 12:41:19 GMT https://live.paloaltonetworks.com/t5/general-topics/site-2-site-vpn/m-p/162696#M52730 RC-BHF 2017-06-22T12:41:19Z https://live.paloaltonetworks.com/t5/general-topics/site-2-site-vpn/m-p/162704#M52731 <P>Please show us that rule. What about port/services - are You using defualt one?</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>Slawek</P> Thu, 22 Jun 2017 13:18:37 GMT https://live.paloaltonetworks.com/t5/general-topics/site-2-site-vpn/m-p/162704#M52731 _slv_ 2017-06-22T13:18:37Z https://live.paloaltonetworks.com/t5/general-topics/site-2-site-vpn/m-p/162722#M52736 <P>Based on the external source IP (your remote office) temporary allow all traffic (any) and observe the behaviour. ESP has no port number so no it is not a NAT issue.&nbsp;</P> Thu, 22 Jun 2017 13:49:51 GMT https://live.paloaltonetworks.com/t5/general-topics/site-2-site-vpn/m-p/162722#M52736 TranceforLife 2017-06-22T13:49:51Z https://live.paloaltonetworks.com/t5/general-topics/site-2-site-vpn/m-p/162725#M52739 <P>As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/31654">@_slv_</a>&nbsp;already pointed out your rule is likely malformed so the traffic isn't getting caught. A picture of the rule would do wonders here over the logs.&nbsp;</P> Thu, 22 Jun 2017 13:55:38 GMT https://live.paloaltonetworks.com/t5/general-topics/site-2-site-vpn/m-p/162725#M52739 BPry 2017-06-22T13:55:38Z https://live.paloaltonetworks.com/t5/general-topics/site-2-site-vpn/m-p/162740#M52744 <P>Hello,</P><P>On my tunnels I have the following applications allowed so they are not blocked. I also whitelist the source/destination IP's for my site to site vpns for added protection:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.JPG" style="width: 102px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9872i7C4307C419ACE8C1/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture.JPG" alt="Capture.JPG" /></span></P><P>&nbsp;</P><P>Hope that helps.</P> Thu, 22 Jun 2017 14:14:30 GMT https://live.paloaltonetworks.com/t5/general-topics/site-2-site-vpn/m-p/162740#M52744 OtakarKlier 2017-06-22T14:14:30Z