Thanks @aleksandar.astardzhiev, I had already asked the company at other end to do the source NAT but they are saying they don't want to do it. The more I look at it, the more I agree with you that it should be a very simple NAT policy for them to source NAT as the packet egresses on the tunnel interface. I am surprised that the Palo looks to its standard routing after NAT for this, as it does mean it can't work without the route at my end, but I guess source NAT on arrival of a packet is unusual as it is usually done on egress. It would have worked if PANOS used the session table to route, or if they routed first then NATted, but I guess they have their reasons. Thanks for your help
... View more