Trouble with NAT and VPN

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Trouble with NAT and VPN

L0 Member

Hi there,

i want to finish an easy setup which needs a simple DNAT and forwarding into a VPN tunnel on my PA5020.

I've created a working VPN tunnel which is the destination for my traffic. And this works fine if i'm using the tunnel ip to reach targets inside the vpn destination network ( To use this setup it is necessary to hide the destination network ( behind free public NAT ( adresses which we're using inside intranet. So i have a public space /24 to mask the private adresse space /24.

There are three zones configured: untrust ("internet" via ae2.400), VPN and trust ("intranet" via ae1.305). To prevent double use of private adresses i've created a second VR for the customer destination network and added the tunnel interface from zone VPN. And finally i have created a NAT policy which should map 1:1 the outgoing packets directioned to the public adresses ( and change the destination to the private network (, so these packets should routed inside vpn. But it's not.

I've tried a lot of different configurations with routing and NAT but finally i have no clue whats going wrong. The security policies don't block any traffic and the NAT policy counter counts my connection tries. Everything looks fine. But no way to get a working connection from intranet to the vpn.

How to set the routes properly to get my packets NATted and routed into the correct VR and finally inside the VPN?

Configuration ahead. I've changed the config a lot of times, so i'm sure everything looks now completely senseless 😉

Thanks in advance.



show routing route

VIRTUAL ROUTER: default (id 1)
destination nexthop metric flags age interface next-AS 10 A S ae2.400 10 A S ae1.305 10 A S ae1.305 10 A S ae1.305 0 A C ae1.305 0 A H 0 A C ae2.400 0 A H 10 A S ae1.305
total routes shown: 12


destination nexthop metric flags age interface next-AS 0 A H 10 A S tunnel.99


show running nat-policy
"NAT-S2S-CUSTOMER; index: 2" {
nat-type ipv4;
from trust;
source any;
to trust;
service 0:any/any/any;
translate-to "dst:";
terminal no;



Cyber Elite
Cyber Elite

set the subnet on the tunnel interface

add a route for the default VR to the customer VR for (next hop VR)

and add your internal subnets on the customer VR as a next hop to default VR

then set the NAT rule from trust to vpn with original  , and static destination NAT

and set the security rule from trust to vpn destination (security uses pre-nat IPs)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!