Forum Discussion
jdorrough_42655
Apr 25, 2012Nimbostratus
Can I spoof a source address with an iRule?
Let's say I have 4 IP addresses
IP-A 192.168.1.1 Client ip address
IP-B 192.168.2.1 Virtual server address
IP-C 192.168.3.1 Pool member associated to Virtual address
IP-D 192.168.4.1 IP I'm wanting to spoof.
I want the connection to work as follows....
1) Client makes a connection to IP-B
2) Big-IP sends connection to Pool member IP-C. There is no Natting taking place so Pool member IP-C sees the source address IP-A.
3) IP-C responds to IP-A, the packet arrives back to the Big-IP.
4) I want the packet to leave Big-IP with a source address of IP-D Destination IP-A.
I know this may look like a weird request. It is an attempt to do some asymmetrical routing between two datacenters.
Thanks in advance for your assistance.
- Chris_MillerAltostratusInteresting scenario. Basically, we'd want to apply SNAT in a response event which doesn't seem to be supported. I'm going to try mocking this up using the "virtual" command and see what I can find out.
- Chris_MillerAltostratusWhat type of traffic is this by the way?
- jdorrough_42655NimbostratusChris, thanks for the response. The traffic in question is tacacs. That’s why I am needing the true source of the client.
- Chris_MillerAltostratusYour packet flow sounds like this: Router -> VIP (IP-D) -> Pool Member/VIP (IP-B) -> Pool Member (IP-C). If that's the case, why wouldn't the response be NATed properly? Traffic is still flowing through VIP (IP-D) so LTM should NAT the response to that address.
- The_BhattmanNimbostratusA colleague of mine says he has done this via EtherIP
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects