Forum Discussion
How to selectively SNAT on an egress vlan
I am running a pair of F5 LTM v10.2.1 and I cannot seem to find a way in which to perform a SNAT on a src network range going to a single specific destination vlan.
The setup I have is as follows:
src network - ""---->"" - interface 1.1
Dest vlan1 - ""---->"" - interface 1.4
Dest vlan2 - ""----->"" - interface 1.4
Dest vlan3 - ""----->"" - interface 1.4
Interface 1.4 is trunked down to a cisco switch and the destination vlans all point back to each vlans local gateway on the LTM.
The flow between src and destination uses a "forwarding VIP" since the LTM is simply routing between interfaces in this scenario.
What I am trying to achieve is to perform a source NAT when traffic is being sent from the "10.0.0.0/16"----->"10.104.32.0" vlan1 network
. I do not want to SNAT if traffic is destined to the other two vlans.
I am happy to use the self IP of the egress vlan when performing the SNAT or a specific SNAT IP.
So in summary the flows would look like this:
Client (C) Server (S) LTM (LB) 1. SNAT required from src to vlan1 10.0.0.10 (c) -----> (s) (LB) ----> (s) 2. No SNAT required from src to vlan2 10.0.0.10 (c) -----> (s) I appreciate that a FW is able to perform this task based on identifying the src and dst network though I have looked at some irules and I cannot seem to find a way in which to accomplish this.. I had hoped to see something like [IP::dst_address] available in irules in which I could create a class to match the source network and to SNAT only on the [IP::dst_address] (vlan2) else forward everything else though I cannot find anything in the reference guide.. Finally when trying to do this via the LTM Gui it only works if I perform the SNAT on the vlan in which the source traffic is arriving. This ends up source natting all incoming to all dest vlans and not the specific one I require.
- nitass
Employee
not sure if i understood correctly. can u try this one?when CLIENT_ACCEPTED { if {[IP::addr [IP::remote_addr]/16 equals 10.0.0.0] and [IP::addr [IP::local_addr]/24 equals 10.104.32.0]} { snat automap } }
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com