Last Modified: Sep 13, 2023
Known Affected Versions:
Opened: Apr 06, 2016 Severity: 3-Major
Firewall NAT translation failures are observed if the pre-translation connection matches a Firewall NAT policy rule that uses source address list to match the incoming source address and the source translation object in the rule is configured to do 'dynamic-pat' with mode = deterministic
Translation failure occurs as described resulting in the connection failures.
Following conditions suffice for the issue: a) FW NAT rule has source translation object of type 'dynamic-pat' and mode = deterministic AND b) FW NAT rule has match source address-list only (and no inline source addresses on the match side)
If a FW NAT rule has source translation object with dynamic-pat and deterministic mode, the source address(es) on the match side should be specified as inline address(es) instead of specifying the source address-list with such addresses.
Fix involves using the addresses specified in the source address list of the FW NAT rule to match incoming connections and perform translation.