NAT over IPSEC VPN without an IP on the Tunnel interface


ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

L0 Member

NAT over IPSEC VPN without an IP on the Tunnel interface

Does anyone know if it is possible to NAT over an IPSEC VPN without assigning an IP address on the tunnel interface itself?


I tried but it doesn't seem possible.







L2 Linker

What kind of NAT are you trying to do?

It is possible to do dynamic-ip-and-port source NAT for sure, I haven't triend other scenarios.

L7 Applicator

Hi Duane


you can try adding a loopback interface in the same zone as the vpn interface, then create a nat rule using dynamic ip+port and nat sourced from the loopback





depending on your remote peer you may need to account for this by using proxy-IDs



hope this helps

Tom Piens -
New to PAN-OS or getting ready to take the PCNSE? check out
L3 Networker

If you want to  configure a NAT rule you should be having an ip address on the interface either statically or assisgned via DHCP


Else that will  be a Not nat rule for the traffic


Are you trying to  use tunnel interface in NAT rule  ? 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!