Forum Discussion
rababa74_74439
Nimbostratus
NimbostratusApplying Multiple SNATs on an Outbound Virtual Server
Hello.
This is my first time hearing and just starting my adventure with F5.
I have been trying to find an iRule solution to be applied on my outbound virtual server/network 0.0.0.0 port 25 where if the request comes from "class A hosts", SNAT A will apply, while if it is coming from "class B hosts", SNAT B applies and so on. Note that class hosts are on the same VLAN behind my F5.
So say if the request destined to yahoo.com:25 is coming from 10.10.10.1:25 (mailout), I want to SNAT that source with 100.100.100.1:25, while the request from 10.10.10.2:25 will be SNAT to 100.100.100.2:25.
Will appreciate your help.
Thanks.
4 Replies
hoolioCirrostratus
You can either use the SNAT configuration in the GUI or an iRule to assign a SNAT translation based on the source and/or destination IP address or network. You can create a SNAT which applies for all outgoing connections (across all VIPs or non-load balanced traffic) which is valid for multiple source hosts/networks. The bigip.conf entry would look like this:snat test_snat { translation 10.0.0.10 origin 192.168.1.0 mask 255.255.255.0 origin 192.168.2.0 mask 255.255.255.0 vlan internal enable }
The origin networks are the networks which the SNAT would apply for. The translation address is what the outbound traffic would be translated to. The VLAN which the SNAT is enabled on is the inbound VLAN. So a client connecting through the BIG-IP from the internal VLAN using an IP address in the 192.168.1.0/24 network would be translated to 10.0.0.10 on the outbound connection.
If you wanted to apply the SNAT logic in an iRule you can use the CLIENT_ACCEPTED event and the snat command. It would be cleanest to define the two sets of source IP's/networks in two classes. Here is an example which references two classes, class_A_hosts and class_B_hosts:CLIENT_ACCEPTED on a TCP VIP is triggered when a new TCP connection between the client and VIP is established when CLIENT_ACCEPTED { log local0. "source IP:port: [IP::client_addr]:[TCP::client_port] -> destination IP:port: [IP::local_addr]:[TCP::local_port]" Check if client IP matches class A hosts if {[matchclass [IP::client_addr] equals $::class_A_hosts]}{ source host is part of class A so use SNAT address 1 log local0. "[IP::client_addr]:[TCP::client_port]: using SNAT address 1" snat 1.1.1.1 } else if {[matchclass [IP::client_addr] equals $::class_B_hosts]}{ log local0. "[IP::client_addr]:[TCP::client_port]: using SNAT address 2" snat 1.1.1.2 } else { Take some default action? log local0. "[IP::client_addr]:[TCP::client_port]: didn't match a source class" } }
Aaron- The_BhattmanTry this
when CLIENT_ACCEPTED { switch [IP::client_addr] { 10.10.10.1 { snat 100.100.100.1 } 10.10.10.2 { snat 100.100.100.2 } default { forward } } }
I haven't tested this, but I think this is a good start from an iRule perspective.
You can also take a look at the "Configuration_Guide_for_BIG-IP_Local_Traffic_Management_9.3.0.pdf". Chapter 13 does provide you a way to create a Pool of snat address and perform a one to one mappings. Then you need to apply it to the vip, thereby, avoiding using an irule. - For hoolio's iRule solution, you'll need to create the 2 classes (data group lists) as type "Address" to perform the address comparisons you're after. The classes may contain individual addresses and/or full subnets.
/deb 
rababa74_74439Thank you for the help! Appreciated.
