As described, we have some VPN tunnels which allows any traffic (Proxy IDs 0.0.0.0/0). With this, we have a GRE-Like Encrypted tunnel. With VPN, there are always a lot of NAT configuration which could be wrong. Since the administrators on most of our remote sites aren't big companies, there usually don't have big knowledge in special NAT configurations. So, they are sometimes wrong and on a Zyxel (or similar) firewall, it is not easy to debug. Sometimes they even struggle on the routing part. An easy way to find configuration issues on the remote firewall (if you don't have access to it), is looking at the traffic which is coming from this VPN. Routing Issues -> No Traffic at all NAT issues -> Traffic with wrong source/destination IP If you can do a filter on outgoing interfaces, it's also an easy way to check if my NAT is correct. As described, I am looking for traffic which is not as expected. So, i am not able to filter it based on IP information. And for a setup like "each VPN has its own zone" (so I can filter based on Zone) the Paloalto doesn't support that much zones as we have tunnels.
... View more