Forum Discussion

Type11_8030's avatar
Type11_8030
Icon for Nimbostratus rankNimbostratus
May 16, 2011

Different SNAP IP based on destination

So I have been baning my head on this for a bit so any help would be great.

 

 

- I have a Virtual Server defined that mainly handles incoming traffic

 

- However from time to time the servers themselves initiate the connection (part of standard we are using)

 

- Also as part of the standard (security wise) the only allowed IPs are the VIP of the virtual server

 

 

 

This worked fine when there was one SNAT IP we needed it to look like but now there is some internal testing and we need it to look like a different outgoing ip when servers initate connections

 

 

 

So what I need is an iRule that basically says the sourceip (snat) of server initiated traffic is xxx.xxx.xxx.xxx if the outgoing ip it is connection to is in the subnet 10.79.10.0/24, and if it is not in that subnet and the server is connection to any other ip I want the source ip to appear as yyy.yyy.yyy.yyy

 

 

 

thanks so much for any help or pointers to see me on my way. I would post what I tried but think it would just embarrass myself.

 

application delivery
dev
devops
iRules
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    May 16, 2011
    Hi Brendon,

    There are many ways to do this. However, one comes to mind 

    
when CLIENT_ACCEPTED {
   if { [IP::addr [IP::remote_addr] equals 10.79.10.0/24] } {
      snat xxx.xxx.xxx.xxx
   } else {
      snat yyy.yyy.yyy.yyy
   }
}

    I hope this helps

    Bhattman
  • Type11_8030's avatar
    Type11_8030
    Icon for Nimbostratus rankNimbostratus
    May 16, 2011
    First off thanks!

     

     

    Second, I guess i was confusing myself so even if the server initiates the connection I want to use client_accepted? I think that was a big part of my confusion. thanks.

     

  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    May 17, 2011
    Posted By Brendon Allen on 05/16/2011 11:06 AM

     

    First off thanks!

     

     

    Second, I guess i was confusing myself so even if the server initiates the connection I want to use client_accepted? I think that was a big part of my confusion. thanks.

     

     

    All about the direction. An external user might initiate a connection to an inbound VIP but a server might initiate a connection to an outbound destination address.
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    May 17, 2011
    It can get a little confusing, Brendon, if you're thinking "this is the client, that is the server...". The reality is, as Chris pointed out, the "server" is really the "client" if you're applying the iRule on an internal VIP. It all depends on flow context.

     

     

    Colin