IPSec Tunnel: Same NAT IP address use across multiple tunnels
748
Created On 12/18/23 03:02 AM - Last Modified 10/28/25 21:42 PM
Symptom
New or existing IP used for NAT with multiple IPSec tunnel with different zone to transfer data then only one tunnel will work with IP address, rest of the tunnel will fail to connect to that IP.
Environment
All PAN-OS
Cause
Firewall will drop the traffic during policy lookup as route will point to one tunnel however traffic is coming from different tunnel and NAT policy will not trigger due to different zone configured for route lookup.
Resolution
There are multiple solution to fix the issue.
Solution 1:
Use the different IP for all tunnels.
Solution 2:
Use same zone for all IPSec tunnels on firewall.
Solution 3:
Create the NAT policy based on route configuration however it's least preferred method due to complexity.