Site to Site VPN cannot use any private network range

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site to Site VPN cannot use any private network range

L1 Bithead

I have to set up a Site-to-Site VPN so our users can access some resources on a clients network. As we had here a lab firewall, another Palo Alto, I set up a test between our production and lab. This worked and I was able to connect. For the actual connection to the client, their side is a Cisco ASA. I provided our Peer IP(Public IP) and internal subnet on my end from which to expect the tunnel traffic, They informed me that this range is already in use for another client. From there I researched what could be done to make this work. I came this link, and that all made sense. I went back to the client to inform them of the new subnet, and they again said its in use. I asked if any 172.16. networks could be used and they said no. And that I should use a public IP for PAT intstead of an alternative private range. My question is, can I re-use the Public IP address that is being used in the existing NAT/PAT rule for internet access, to PAT the connections to through the client tunnel. Will this affect the non-tunnel traffic. I am trying to simulate in the lab set-up but wanted to see if anyone has had configure a Site to Site VPN in this manner.

Thanks in advance for any advice.


Cyber Elite
Cyber Elite


You can't re-use a public IP address in the firewalls routing table. 

Thanks for your reply.

I should have known that.

We have another IP from the block we bought that is not in use.

If I use that will the regular web traffic be affected? The tunnel is in its own zone


I'm slightly confused by your question. If the IP you utilize is not in use elsewhere it won't effect traffic to a different IP that is serving your web traffic. You'll just need to verify that you actually have your route table setup correctly. 


Hey @BPry,

Apologies, but I am confused by your reply for the routing table...


@cheezif understand your question correctly you want to:

- create site-to-site IPsec tunnel

- inside this tunnel hide NAT your private source behind public IP (which also used for ike peer)

- use the public (peer) IP local encryption domain (proxy-id)


I haven't personaly done it, but I have seen it multiple time on other tunnel. And it shouldn't be any problem to achive this:
a) on the palo the decision if traffic should be encrypted with given tunnel is based on routing (aka route-base vpn), so it doesn't matter what source are you using (as long you have a rule of course)

b) when you are creating your hide NAT rule you need to specify source zone your lan and destination zone your vpn zone (where the tunnel interface is), and also match based on original destination - this will assure that only traffic to the vpn is NAT-ed






Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!