Assuming this diagram matches what you are trying to do, you'll want to apply a source NAT policy for the tunnel traffic on the remote firewall, so that their traffic appears to come from a network other than 192.168.1.0/24. If the servers on the local network don't need to know the individual client IP of the source traffic, a single address can be used for a many-to-1 source NAT policy policy. Otherwise, if the ability to discern individual source IPs is needed, several 1-to-1 source NATs will be needed (Palo Alto can do this as a pool). In this example I've used 192.168.2.1 (many-to-1) and 182.168.2.0/24 (1-to-1) for the Remote Site source NAT addressing. On the Local Firewall, you'll want to use a 1-to-1 destination NAT policy where the pool of 192.168.5.0/24 addresses translate to 192.168.1.0/24. You can find the details on how to configure these policies here: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat.html
... View more