Forum Discussion

J_Peterman_4266's avatar
Icon for Nimbostratus rankNimbostratus
Jul 18, 2012

Having trouble with destination based SNAT irule

We are looking to implement destination based SNAT via iRule where all traffic destined to RFC 1918 space does not get SNAT outbound and it retains its private addressing, all other traffic destined to public addressing gets SNAT outbound for internet specific connectivity. The problem is that the iRule that I have created and applied to a basic IP forwarding Virtual Server is not matching and performing "snat none" or simply "forward" and instead all traffic outbound is getting SNAT. Can anyone point out what might be going on?



[IP addressing has been changed to protect the innocent]



Here is my iRule:






Check if the remote address is part of the private_nosnat data group


if { [class match [IP::remote_addr] equals private_nosnat]} {



don't do anything


log local0. "MATCH NO SNAT CLASS"


snat none



} else {



snat behind this address











the datagroup private_nosnat includes three networks defined:



Again, this is applied to a virtual server that just matches all destinations and forwards on. The problem is that the first if statement isn't working and all traffic is getting SNAT on the final else statement.



Any insight is greatly appreciated.



20 Replies