Forum Discussion
Mark_60861
Jul 22, 2011Nimbostratus
Emulate v4.5 SNAT behavior with 10.x
I'm trying to emulate BIGIP 4.5 SNAT behavior for a set of legacy hosts that are being migrated from a 4.5 bigip box to a 10.x BigIP LTM.
With a 4.5 SNAT things work as follows:
All connections ...
Mark_60861
Jul 22, 2011Nimbostratus
The one 'hack' of a solution i've come up with is only snat if the client_port (server in this case) is in the ephemeral port range, obviously this is highly OS dependent, however this may work in my case as we're a solaris, linux, and windows shop.
It's far and away less than ideal, seems like there should be a better solution.
when CLIENT_ACCEPTED {
if { ( [class match [IP::client_addr] equals "legacy_servers"] ) && ( [IP::protocol] == 6 || [IP::protocol] == 17 ) } {
log local0. "=============================================================="
log local0. "New connection from Legacy Server: [IP::client_addr]"
log local0. "IP::client_addr: [IP::client_addr]"
log local0. "IP::local_addr: [IP::local_addr]"
log local0. "IP::remote_addr: [IP::remote_addr]"
log local0. "IP::protocol: [IP::protocol]"
log local0. "TCP::local_port: [TCP::local_port]"
log local0. "UDP::local_port: [UDP::local_port]"
log local0. "TCP::client_port: [TCP::client_port]"
log local0. "UDP::client_port: [UDP::client_port]"
IANA Ephemeral port range: 49152-65535 (Windows uses this)
Linux Ephemeral port range: 32768-61000
Solaris Ephemeral port range: 32768-65535
IF the client_port is above 32768 we will assume it's an ephemeral connection
from the legacy server and SNAT it.
if { ([TCP::client_port] > 32768 || [UDP::client_port] > 32768) } {
log local0. "!!! client_port seems to be Ephemeral"
log local0. "!!! SNAT'ed Legacy Server: [IP::client_addr] to 10.10.210.50"
use snatpool LEGACY-SERVER-SNAT
}
}
}
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects