Last Modified: Nov 07, 2022
See more info
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2
Opened: Apr 06, 2016
Firewall NAT translation failures are observed if the pre-translation connection matches a Firewall NAT policy rule that uses source address list to match the incoming source address and the source translation object in the rule is configured to do 'dynamic-pat' with mode = deterministic
Translation failure occurs as described resulting in the connection failures.
Following conditions suffice for the issue: a) FW NAT rule has source translation object of type 'dynamic-pat' and mode = deterministic AND b) FW NAT rule has match source address-list only (and no inline source addresses on the match side)
If a FW NAT rule has source translation object with dynamic-pat and deterministic mode, the source address(es) on the match side should be specified as inline address(es) instead of specifying the source address-list with such addresses.
Fix involves using the addresses specified in the source address list of the FW NAT rule to match incoming connections and perform translation.