PA 200 Connected to 4G Router

Showing results for 
Search instead for 
Did you mean: 

PA 200 Connected to 4G Router

L1 Bithead

Hi Folks,

We currently have a primary direct internet from the ISP to the Palo Alto PA-200 configured with LSVPN .

As we plan to have a secondary Internet, we want to connect the Palo Alto PA-200 with 4G Router using LSVPN as well. 

The problem is the public IP address is assigned to the 4G router and we'll connect it via LAN With PA-200 as the diagram illustrates below 


How can Configure the PA-200 to implement the LSVPN as a client 




Cyber Elite
Cyber Elite


Does the 4G router have the ability to just pass all traffic without performing any other tasks or to be a transparent device so the PAN could have the public IP? Meaning the PA-200 should be able to make the request to the core of the LSVPN and make the connection. Is this not working as designed?


Please advise,

Hi @Adam42 

Why is it a problem if the public IP is on the 4G router? Btw. are you sure your 4G modem has a public IP? The way I used these modems so far, they always got a private IP ln the external interface and on provider side ther is carrier grade NAT for connections towards the internet.

Anyway, for GP LSVPN you don't need a public IP on your spoke firewall. Only the hub will need a public IP to receive the connections.

Hi  @OtakarKlier 

Which configuration should I do to make the router works transparent in order to carry the public IP address to the firewall? If I configure the DMZ IP on the router by assigning the IP address of the interface of the firewall PA200 will make it transparent?

Which configuration should I put on the firewall (spoke)

Thank you 


Back in the day when i was doing this, there was a setting in the 4g router that allowed it to be transparent and it would pass the public IP to the attached device/firewall. While I dont know what or if there is that in the device you are using, you might want to reach out to the vendor and check. However like @vsys_remo pointed out. it might not be required.



Hi @OtakarKlier  

Thank you for your answer, Well i'm using Huawei AR160 series .


The Hub administrators are requesting the  public ip and its Gatway but the 4G providers has just offered One Public IP /32 With NAT . 


Thank you 

L0 Member

Hi there,


You just need to NAT inbound ports from the 4G router to the Palo IP.  Or simpler if you just set a DMZ host on the 4G router to send all traffic to the PA.

The ISP however will need to map a public address and inbound ports as the carriers usually only allocate you a private address.  I've just bought a international SIM card that does this.  They basically assign me a static public address their end, and it NATs through their cell provider VPN to the private IP on my router.  I need to arrange with them what ports they pass inbound (which is good as it filters out port scans etc but bad as if I want to add a new service I have to ask them)

Ports for LSVPN are tcp/443 and udp/4501

That router then NAT's all inbound to the ip on the palo alto.  The palo alto is configured with a private address but it doesnt matter as long as your public IP is used for LSVPN inbound. 


If this is a remote office then you don't need any of the inbound NAT's setup as its a one way connection.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!