Last Modified: Jul 13, 2024
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2
Fixed In:
13.0.0, 12.1.2
Opened: Apr 06, 2016 Severity: 3-Major
Firewall NAT translation failures are observed if the pre-translation connection matches a Firewall NAT policy rule that uses source address list to match the incoming source address and the source translation object in the rule is configured to do 'dynamic-pat' with mode = deterministic
Translation failure occurs as described resulting in the connection failures.
Following conditions suffice for the issue: a) FW NAT rule has source translation object of type 'dynamic-pat' and mode = deterministic AND b) FW NAT rule has match source address-list only (and no inline source addresses on the match side)
If a FW NAT rule has source translation object with dynamic-pat and deterministic mode, the source address(es) on the match side should be specified as inline address(es) instead of specifying the source address-list with such addresses.
Fix involves using the addresses specified in the source address list of the FW NAT rule to match incoming connections and perform translation.