For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

swo0sh_gt_13163's avatar
swo0sh_gt_13163
Icon for Altostratus rankAltostratus
Jun 25, 2014

Can I SNAT UDP traffic using iRule? [for outbound traffic]

Hello Folks,

 

Can I SNAT UDP (precisely SNMP) using iRule? If yes, could you please share an example how?

 

Thank you, Darshan

 

irule
snmp

9 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 26, 2014

    Yes you can, but you shouldn't need an iRule. Assuming you have a UDP VIP assigned to forward this traffic, assign a SNAT pool there.

     

  • swo0sh_gt_13163's avatar
    swo0sh_gt_13163
    Icon for Altostratus rankAltostratus
    Jun 26, 2014

    Hi Kevin,

     

    Thanks for the answer. However the VS is a forwarding VS for all protocols. We need to SNAT traffic specifically for outbound ICMP and SNMP connections.

     

    Any help?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 26, 2014

    I would probably do something like this:

    when CLIENT_ACCEPTED {
    switch [IP::protocol] {
        "1" -
        "17" {
            snat automap
        }
    }
}
when CLIENT_DATA {
    switch [IP::protocol] {
        "1" -
        "17" {
            snat automap
        }
    }
}
  • swo0sh_gt_13163's avatar
    swo0sh_gt_13163
    Icon for Altostratus rankAltostratus
    Jun 26, 2014

    Thanks for this Kevin,

     

    Do I need Client_Accepted and Client_Data both to be mapped within same iRule? I would need to add Client_IP_addr in Client_Accepted, right?

     

    Thank you, Darshan

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 26, 2014

    I would need to add Client_IP_addr in Client_Accepted, right?

     

    Do you need to do this based on the client IP? I'm assuming not.

     

    The above is one iRule that should be applied to the forwarding VIP. You need both the CLIENT_ACCEPTED and CLIENT_DATA events because UDP's statelessness won't always trigger a CLIENT_ACCEPTED event.

     

  • swo0sh_gt_13163's avatar
    swo0sh_gt_13163
    Icon for Altostratus rankAltostratus
    Jun 26, 2014

    Sorry, I think I didn't explain the exact requirement.

    I have 3 IP addresses which I want to SNAT, only for ICMP and SNMP for outbound connection.

    I made a rule as following which doesn't seem effective, not sure why.

    when CLIENT_ACCEPTED {
   if { ([IP::addr [IP::client_addr] equals 10.254.47.12/32] or [IP::addr [IP::client_addr] equals 10.254.47.13/32]) and [TCP::local_port] == 161 }{
      snat 10.254.55.65
   }
else
{
forward
}
}
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 26, 2014

    Try this:

    when CLIENT_ACCEPTED {
    if { ( [IP::addr [IP::client_addr] equals 10.254.47.12/32] or [IP::addr [IP::client_addr] equals 10.254.47.13/32] ) } {
        switch [IP::protocol] {
            "1" -
            "17" {
                snat automap
            }
        }
    }
}
when CLIENT_DATA {
    if { ( [IP::addr [IP::client_addr] equals 10.254.47.12/32] or [IP::addr [IP::client_addr] equals 10.254.47.13/32] ) } {
        switch [IP::protocol] {
            "1" -
            "17" {
                snat automap
            }
        }
    }
}
  • swo0sh_gt_13163's avatar
    swo0sh_gt_13163
    Icon for Altostratus rankAltostratus
    Jun 26, 2014

    Perfect!

     

    Thanks a ton!! Btw, where can I get the list of protocol number listed in your iRule?