diff --git a/.changelog/10302.txt b/.changelog/10302.txt
deleted file mode 100644
index e87d16898..000000000
--- a/.changelog/10302.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-```release-note:improvement
-connect: Avoid adding original_dst listener filter when it won't be used.
-```
-
diff --git a/.changelog/10365.txt b/.changelog/10365.txt
new file mode 100644
index 000000000..665d5401e
--- /dev/null
+++ b/.changelog/10365.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix bug that prevented transparent proxies from working when mesh config restricted routing to catalog destinations.
+```
\ No newline at end of file
diff --git a/agent/xds/listeners.go b/agent/xds/listeners.go
index c31f0fd6c..cc08ed0d5 100644
--- a/agent/xds/listeners.go
+++ b/agent/xds/listeners.go
@@ -78,6 +78,17 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg.
 
 		outboundListener = makePortListener(OutboundListenerName, "127.0.0.1", port, envoy_core_v3.TrafficDirection_OUTBOUND)
 		outboundListener.FilterChains = make([]*envoy_listener_v3.FilterChain, 0)
+		outboundListener.ListenerFilters = []*envoy_listener_v3.ListenerFilter{
+			{
+				// The original_dst filter is a listener filter that recovers the original destination
+				// address before the iptables redirection. This filter is needed for transparent
+				// proxies because they route to upstreams using filter chains that match on the
+				// destination IP address. If the filter is not present, no chain will match.
+				//
+				// TODO(tproxy): Hard-coded until we upgrade the go-control-plane library
+				Name: "envoy.filters.listener.original_dst",
+			},
+		}
 	}
 
 	var hasFilterChains bool
@@ -201,13 +212,6 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg.
 		if cfgSnap.ConnectProxy.MeshConfig == nil ||
 			!cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.CatalogDestinationsOnly {
 
-			outboundListener.ListenerFilters = []*envoy_listener_v3.ListenerFilter{
-				{
-					// TODO (freddy): Hard-coded until we upgrade the go-control-plane library
-					Name: "envoy.filters.listener.original_dst",
-				},
-			}
-
 			filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain(
 				"passthrough",
 				OriginalDestinationClusterName,
diff --git a/agent/xds/testdata/listeners/transparent-proxy-catalog-destinations-only.envoy-1-18-x.golden b/agent/xds/testdata/listeners/transparent-proxy-catalog-destinations-only.envoy-1-18-x.golden
index 4c444e044..a3c52dc4f 100644
--- a/agent/xds/testdata/listeners/transparent-proxy-catalog-destinations-only.envoy-1-18-x.golden
+++ b/agent/xds/testdata/listeners/transparent-proxy-catalog-destinations-only.envoy-1-18-x.golden
@@ -57,6 +57,11 @@
           ]
         }
       ],
+      "listenerFilters": [
+        {
+          "name": "envoy.filters.listener.original_dst"
+        }
+      ],
       "trafficDirection": "OUTBOUND"
     },
     {
diff --git a/agent/xds/testdata/listeners/transparent-proxy-catalog-destinations-only.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/listeners/transparent-proxy-catalog-destinations-only.v2compat.envoy-1-16-x.golden
index 1d3f29225..db881a384 100644
--- a/agent/xds/testdata/listeners/transparent-proxy-catalog-destinations-only.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/listeners/transparent-proxy-catalog-destinations-only.v2compat.envoy-1-16-x.golden
@@ -57,6 +57,11 @@
           ]
         }
       ],
+      "listenerFilters": [
+        {
+          "name": "envoy.filters.listener.original_dst"
+        }
+      ],
       "trafficDirection": "OUTBOUND"
     },
     {