I want to create two VIPS on our F5 and setup two inbound AutoMaps on each VIP. The automaps would both translate the same specific inbound address to the floating IP associated with the appropriate external interface. Each VIP has member servers sitting on separate subnets. And the servers aren't using the floating IP as the route back to this source so I want to NAT it as it comes in. I had tried to do this before but it appeared to translate all traffic coming into the server instead of only translating the specific traffic listed in the SNAT list. I wanted to make sure this was possible before I attempted this again as per everything I have seen on most sites seem to indicate it is possible. Any feedback or better suggestion would be appreciated.

Sorry, it's not quite clear, do you want to SNAT all traffic passing through the VIPs or only specific client addresses passing through the VIPs?

i understand you have snat list with specific source address, haven't you? have you tried to set snat none under virtual server configuration? when traffic hits the virtual server, since the virtual server's snat is set to none, snat list would apply to the traffic.

I want to SNAT only specific traffic passing through the VIP. I was thinking I needed to set up a SNAT list with the translation set to Automap and apply that to each VIP. However, per what your saying I think I am making this to difficult and if I just set up the SNAT list instead of what I was trying to do, all of my specific source addresses coming in through each VIP will be translated to the correct floating IP associated with the outside interface it should route out of? And the rest of my addresses will remain un-translated that are not specified in the address list?

Automap SNAT with Multiple VIPs

11 Replies

What_Lies_Bene1
Cirrostratus
Sep 03, 2013
Sorry, it's not quite clear, do you want to SNAT all traffic passing through the VIPs or only specific client addresses passing through the VIPs?
nitass_89166
Noctilucent
Sep 03, 2013
i understand you have snat list with specific source address, haven't you?

have you tried to set snat none under virtual server configuration? when traffic hits the virtual server, since the virtual server's snat is set to none, snat list would apply to the traffic.
- kldev_132889
  Nimbostratus
  Sep 04, 2013
  I want to SNAT only specific traffic passing through the VIP. I was thinking I needed to set up a SNAT list with the translation set to Automap and apply that to each VIP. However, per what your saying I think I am making this to difficult and if I just set up the SNAT list instead of what I was trying to do, all of my specific source addresses coming in through each VIP will be translated to the correct floating IP associated with the outside interface it should route out of? And the rest of my addresses will remain un-translated that are not specified in the address list?
nitass
Employee
Sep 03, 2013
i understand you have snat list with specific source address, haven't you?

have you tried to set snat none under virtual server configuration? when traffic hits the virtual server, since the virtual server's snat is set to none, snat list would apply to the traffic.
- kldev_132889
  Nimbostratus
  Sep 04, 2013
  I want to SNAT only specific traffic passing through the VIP. I was thinking I needed to set up a SNAT list with the translation set to Automap and apply that to each VIP. However, per what your saying I think I am making this to difficult and if I just set up the SNAT list instead of what I was trying to do, all of my specific source addresses coming in through each VIP will be translated to the correct floating IP associated with the outside interface it should route out of? And the rest of my addresses will remain un-translated that are not specified in the address list?
nitass_89166
Noctilucent
Sep 04, 2013
if I just set up the SNAT list instead of what I was trying to do, all of my specific source addresses coming in through each VIP will be translated to the correct floating IP associated with the outside interface it should route out of? And the rest of my addresses will remain un-translated that are not specified in the address list?

you mean snat list with specific origin address and translation automap and snat none under virtual server configuration, don't you? yes, i think so.
- kldev_132889
  Nimbostratus
  Sep 05, 2013
  Yes that is exactly what I meant. Thanks for the help.
nitass
Employee
Sep 04, 2013
if I just set up the SNAT list instead of what I was trying to do, all of my specific source addresses coming in through each VIP will be translated to the correct floating IP associated with the outside interface it should route out of? And the rest of my addresses will remain un-translated that are not specified in the address list?

you mean snat list with specific origin address and translation automap and snat none under virtual server configuration, don't you? yes, i think so.
- kldev_132889
  Nimbostratus
  Sep 05, 2013
  Yes that is exactly what I meant. Thanks for the help.
marco_octavian_
Nimbostratus
Sep 04, 2013
Another option if you want to use a specific snat for specific ip addresses and then do NOT use snat for any other traffic then perhaps the following irule and link can get you there as well. https://devcentral.f5.com/questions/snat-based-on-incoming-ip

You can remove the logging section once you have confirmed it is working for.

when CLIENT_ACCEPTED { switch [IP::client_addr] { "172.16.21.201" { snat 172.16.31.201 } "10.10.10.11" { snat 192.168.42.11 } "10.10.10.12" { snat 192.168.42.12 } "10.10.10.13" { snat 192.168.42.13 } default { snat none } } } when SERVER_CONNECTED { log local0. "client [IP::client_addr]:[TCP::client_port] snat [IP::local_addr]:[TCP::local_port] server [IP::server_addr]:[TCP::server_port]" }
- kldev_132889
  Nimbostratus
  Sep 05, 2013
  Thanks for the script. I may try that as well.