Services do not receive traffic on an interface with NAT enabled¶
When NAT is enabled, by default TNSR will drop traffic that doesn’t match an existing NAT session or static NAT rule. This includes traffic for services on TNSR such as IPsec and BGP. To allow this traffic, see NAT Forwarding.
NAT session limits / “Create NAT session failed” error¶
The default limit for NAT sessions per IP address in the dataplane is
If the number of sessions from a client IP address, including TNSR itself,
exceeds that value, then new connections will fail. This value can be changed by
dataplane nat max-translations-per-user command as described in
Advanced Dataplane Configuration: NAT.
ACL rules do not match NAT traffic as expected¶
When NAT is active, ACL rules are always processed before NAT on interfaces where NAT is applied, in any direction. This behavior is different from some other products, such as pfSense. See ACL and NAT Interaction for details.