Forum Discussion

Kevin_Nail's avatar
Kevin_Nail
Icon for Nimbostratus rankNimbostratus
Jun 10, 2008

disable SNAT on a forwarding virtual server

Hi,

 

 

My setup is a little bit strange. Our developers have placed some servers behind the LTM (their default routes point to the internal floating IP) but they are not being load-balanced nor a they a part of a pool. We recently created a forwarding virtual server to allow them to ping abother server outside of the LTM (external vlan). The problem now, is that the same server for which they are pinging is attempting to initiate communcations back to them and they are SNAT'd. How can I disable able the SNAT address for only those particular servers and only when they are contacted by the one server on the external side? What would the irule look like and where should it be attached? I thought about using the server_connected command but didn't know where to put it. Any help is greatl appreciated.
application delivery
dev
devops
iRules
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Jun 11, 2008
    How are you SNATing? Are you using the SNAT Pool Automap on the Virtual Forwarding server?

     

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 11, 2008
    You can disable SNAT for specific source addresses and/or specific destination addresses, using 'snat none' (Click here) in an iRule. For individual addresses or networks, you can use the IP::addr command to performm the evaluation (Click here). If there are multiple hosts/networks you want to not SNAT for, you can add them to a datagroup of type 'address' and then use the matchclass command (Click here).

    Here are a couple of examples: 

     
 when CLIENT_CONNECTED { 
  
     Check if the source IP address is part of the 10.0.0.0/255.0.0.0 network 
    if {[IP::addr [IP::client_addr]/8 equals 10.0.0.0]}{ 
  
        Disable SNAT for this connection 
       snat none 
    } 
 } 
 

     
 when CLIENT_CONNECTED { 
  
     Check if the source IP address is part of the 10.1.0.0/255.255.0.0 network  
       and the destination address is part of the 10.2.0.0/255.255.0.0 network 
    if {[IP::addr [IP::client_addr]/16 equals 10.1.0.0] && [IP::addr [IP::local_addr]/8 equals 10.2.0.0]}{ 
  
        Disable SNAT for this connection 
       snat none 
    } 
 } 
 

     
 class no_snat_source_networks { 
    network 10.1.0.0 netmask 255.255.0.0 
    network 192.168.0.0 mask 255.255.0.0 
    host 10.2.1.1 
 } 
 

     
 when CLIENT_CONNECTED { 
  
     Check if the source IP address is part of the no_snat_source_networks datagroup 
    if {[matchclass [IP::client_addr] equals $::no_snat_source_networks]}{ 
  
        Disable SNAT for this connection 
       snat none 
    } 
 }

    Aaron