Hi @LCMember20111 , The answer really depends on your setup. You need to understand why NONAT was required for Cisco ASA to understand why it may not be required for PAN FW. As you may know ASA was implementing the "policy based" VPN. This means that traffic for the tunnel is still routed to your outside/untrusted zone, but before leaving ASA is checking "the policy" (the crypto map) if this traffic needs to encrypted with ipsec or not. But you still have your hide NAT that will translate any source leaving through the outside/untrusted zone/interface. I hope you see the problem - VPN and Internet traffic are associated with same interface, so you need to have the no-nat exception to tell traffic doesn't need hide nat. Palo Alto FWs on other hand apply "route based" VPN, so you need to create logical interface associated with that IPsec tunnel. You can abstract from the IPsec for a moment and treat this interfacase as any other physical interface. You associate this tunnel interface with a zone and you can have static routes and rules to and for that zone. If you put the tunnel inteface in zone separate from the outside/untrusted you will not need NO-NAT rule - why? Because the default hide NAT rule will not match this traffic. PAN FW security and NAT rules are matching source and destination zone (based on route lookup). So when you try to go to internet destination zone will match your default route and will match your default hide nat. But if you try to reach something over the ipsec, your destination zone will be different, because the static route is pointing to the tunnel and that tunnel is in different zone. You don't have to excplicetly tell the firewall that these are different - they already are, because they are related to different zones. If you put the VPN tunnel interface in the same zone as your unstrusted/outside (which you may see as recommended in some very old PAN documents), that you way need the no-nat. But still really depends, if you configure your default hide nat with destination zone and destination interface, your vpn traffic will still not match the hide nat, because fw will see that destination interface is the logical tunnel and not your public interface. Because NAT policy become much more easy to manage and because of the "Zero-Trust approach" you may consider creating separate zone for each IPsec tunnel, phyiscal or sub-interface. Some time ago I tend to put all IPsec tunnels into single "IPsec-VPN" zone, which could be fine if you have tones of IPsec tunnels on small box (limited numbers of zones), but not that often anymore (it is hard to come up with zone names thou)
... View more