Policy Based Routing rules matching NATed source address do not work

Policy Based Routing rules matching NATed source address do not work

Symptoms
  • Policy Based Routing rules matching NATed source address do not work when a routing decision is based on the regular routing table.
  • Rulebase has a PBR rule matching on a translated source address:

    set pbr rule priority X match from TRANSLATED_IP/MASK

Cause
  1. Source translation always takes place on the server side, and cannot change to altered to client side (like destination translation).
  2. The OS routing decision is taking place before the outbound chain. Therefore the PBR rules are being matched against the original source address.
  3. After the routing decision has been made, the packet enters the outbound chain, where it is getting translated.

Solution
This is an expected behavior.
The solution would be to use a rule that uses the original source address.

CLISH> set pbr rule priority X match from ORIGINAL_IP/MASK

Comments

Popular posts from this blog

Download IOS Image for Router

tcpdumps in Checkpoint Firewall