Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

rababa74_74439's avatar
rababa74_74439
Icon for Nimbostratus rankNimbostratus
May 30, 2008

Applying Multiple SNATs on an Outbound Virtual Server

Hello.     This is my first time hearing and just starting my adventure with F5.     I have been trying to find an iRule solution to be applied on my outbound virtual server/netw...
application delivery
dev
devops
irules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jun 02, 2008
You can either use the SNAT configuration in the GUI or an iRule to assign a SNAT translation based on the source and/or destination IP address or network. You can create a SNAT which applies for all outgoing connections (across all VIPs or non-load balanced traffic) which is valid for multiple source hosts/networks. The bigip.conf entry would look like this: 

 
 snat test_snat { 
    translation 10.0.0.10 
    origin 192.168.1.0 mask 255.255.255.0 
    origin 192.168.2.0 mask 255.255.255.0 
    vlan internal enable 
 }

The origin networks are the networks which the SNAT would apply for. The translation address is what the outbound traffic would be translated to. The VLAN which the SNAT is enabled on is the inbound VLAN. So a client connecting through the BIG-IP from the internal VLAN using an IP address in the 192.168.1.0/24 network would be translated to 10.0.0.10 on the outbound connection.

If you wanted to apply the SNAT logic in an iRule you can use the CLIENT_ACCEPTED event and the snat command. It would be cleanest to define the two sets of source IP's/networks in two classes. Here is an example which references two classes, class_A_hosts and class_B_hosts: 

 
  CLIENT_ACCEPTED on a TCP VIP is triggered when a new TCP connection between the client and VIP is established 
 when CLIENT_ACCEPTED { 
    log local0. "source IP:port: [IP::client_addr]:[TCP::client_port] -> destination IP:port: [IP::local_addr]:[TCP::local_port]" 
  
     Check if client IP matches class A hosts 
    if {[matchclass [IP::client_addr] equals $::class_A_hosts]}{ 
        source host is part of class A so use SNAT address 1 
       log local0. "[IP::client_addr]:[TCP::client_port]: using SNAT address 1" 
       snat 1.1.1.1 
    } else if {[matchclass [IP::client_addr] equals $::class_B_hosts]}{ 
       log local0. "[IP::client_addr]:[TCP::client_port]: using SNAT address 2" 
       snat 1.1.1.2 
    } else { 
        Take some default action? 
       log local0. "[IP::client_addr]:[TCP::client_port]: didn't match a source class" 
    } 
 }

Aaron