Trouble with multiple IPsec VPN Tunnel

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Trouble with multiple IPsec VPN Tunnel

L1 Bithead

Hi all,

I'm a fresh man to paloalto devices and I'm facing a problem.

Site A has a subnet Site B has Both sites use PA820.

Site A has a IPsec tunnel to Site B. This tunnel is running good.

Now we have a new Site C,, using a non-paloalto firewall. I can set up a tunnel between B and C , C can access B now.

The topology looks like below.

Site A =========site B ========= site C


For some reasons, I cannot set up a tunnel between A and C. But our business requires C to access A.

My question is, is there any solution that can use PA820 at site B to allow access from C to A?



Hey @mercurr ,

The proper way would be to make the change all devices.  Reason for that is simple - IPsec needs to know which networks are "allowed" to pass through the vpn tunnel. It doesn't have anything to do with Palo Alto, it just how the protocol works.  So there is no way to send traffic in the tunnel if it is not defined. In addition how do you expect siteA to know where to route the traffic for siteC, if you don't do any change there?


The only way to workaround for this would to use NAT, but this will only work if you don't really use the full /24 network at siteB. If on siteB you are using /24 (which is already in the remote proxy ID for siteA), but in reallity you have some free IP addresses, you can NAT those 30 addresses to 30 address at siteC. Let say:

- you have at siteB, the IP range is actually free (no host are using any of these IPs)

- you have at siteC

- on siteB you can configure NAT - when source is siteA network to range, translate destination ip to

- If you don't NAT the source ip, you still need to add siteA network to the vpn tunnel between siteB and siteC.


The above example is using IP range, but you can use single IP NAT rules.


The main problem with this workaround is that it doesn't scale well if you need lots of host to communicate between sites A and C. It can easily become quite a mess, you I would strongly recommend to reconsider making changes on siteA. I guess you want to avoid contacting the team/person responsible for configuring this device, but I would prefer to have such conversation and keeping my environment nice and tidy.

As you don't want to make changes at Site A, you can use NAT to access Site A from C.

You need to create both source and destination NAT rules translating IPs in Subnets A and C to Subnet B at Site B.



Site A -
Site B - 
Site C -

As the traffic is initiated from C.

Site C                                                              Site B                                           
Source:  (Subnet C)               Source: (Subnet B)
Destination:  (Subnet B)         Destination:  (Subnet A)


It does not need any changes in the tunnel configuration. If you don't have enough free IPs at site B, use Dynamic IP and Port translation. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!