Hi,
I noticed that port scans had been querying all the internal hosts with bidirectional NATs defined which is obviously expected. But I also noticed that odd internal hosts that shouldn't be routable were also in scope on occasion. Further investigation shows that this is happening when the port scan targets our default internet breakout PAT address which is obviously a dynamic unidirectional PAT. The packet I'm seeing is nothing out of the ordinary, just a syn with a sequence number of 0.
If I use packet tracer to try to replicate the traffic it correctly drops it as there isn't anything in the state table to match. Has anyone else seen this before ? I certainly don't think it's expected behavior but can't seem to find any mention of a bug that would explain what I'm seeing.