Palo Alto Networks Knowledgebase: How to Configure a Tunnel Where Encapsulated Traffic is Sent to Peer's External IP Address

How to Configure a Tunnel Where Encapsulated Traffic is Sent to Peer's External IP Address

Created On 02/07/19 23:49 PM - Last Updated 02/07/19 23:49 PM


This document briefly describes how to build a tunnel in the following network scenario:

PA-LAN  <=> PAN-FW <=>  Internet   <=> <VPN-Peer>

[L3-trust zone]        [L3-untrust zone]

The tunnel will encrypt the traffic between PA-LAN and VPN-Peer's public IP address. This scenario raises an issue as the VPN on the Palo Alto Networks firewall is route based, and the following must occur at the same time for the VPN-Peer IP address:

  1. The IKE and ESP needs to be forwarded to the Internet gateway
  2. The client's traffic (protected traffic) needs to be routed to the tunnel interface


For this example, the PA-LAN is and the public IP address for the VPN-Peer is PA-LAN will access the service on

To resolve the issue, follow the steps below:

  1. Create a tunnel interface
  2. Create a normal IKE gateway, as for a site-to-site vpn
  3. Create a normal IPSEC tunnel, as for a traditional site-to-site vpn
  4. At this step, a static route would normally be configured to push the traffic to the peer's protected IP address to tunnel interface. Instead, configure a PBF (Policy Based Forwarding) rule:
    • Source Zone: l3-trust
    • Source Address: PA-LAN (for example,
    • Destination Address: Peer's public IP (for example:
    • Action: forward
    • Egress I/F: tunnel interface (for example tunnel.5)
      2014-01-15 10_57_00-PA-VM.png
  5. Set an IP address on the tunnel interface. This IP address is not really used and can be set to any unused IP address in the company (for example If it is not set, the following error message will appear during commit:
    Error: pbf rule 'a1': No ip/ipv6 address defined on pbf interface tunnel.5. Error: Failed to parse pbf policy
  6. Commit the changes

After the commit operation completes, test the connectivity from one of the hosts in PA-LAN.

owner: rweglarz

  • Print
  • Copy Link

Choose Language