Hello, This is not a terribly difficult task if you are familiar with how NATing generally works on the PAN firewall. There is one main thing that you will need to make sure though - that the tunnel interface you specified for the tunnel is in a separate zone from the traffic that will be going across the tunnel. As long as you have this done, you will build the NAT rule like this: Source Zone: <your source traffic zone(s)> Destination Zone: <your VPN tunnel interface zone> Source Address: any (or restricted to a specific IP if you like) Source Translation: You have a couple of options here depending on exactly what traffic you are sending across. 1. If it's coming from multiple hosts specify Dynamic IP and Port and then Translated Address. In the area where you specify an address, either select/create an address object for the address that you are NATing to, or you can just type an address in the field as well. 2. If it's coming from a single host, you can do the first option, or you can specify it as Static IP and then in the Translated Address area, specify/create an address object for the address that you are NATing to or again, you can just type an address into the field. This is all you should have to do, the rule will look very much like your source NAT policy that translates your user traffic out to the internet except your destination zone will be the zone that your tunnel interface is in and you will not be specifying "Interface Address" as the Source Translated Address. One thing to keep in mind, if your VPN tunnel is currently in the same zone as your trusted network, when you apply a different zone to it, you will need to make sure to add the appropriate firewall rules so that traffic can flow correctly. Mike
... View more