For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

thananchai_pany's avatar
thananchai_pany
Icon for Nimbostratus rankNimbostratus
Mar 07, 2012

How to use iRule to create SNAT based on destination ip address

I'm use BIG-IP F5 Version: 11.1.0 (Build 1943.0)

 

 

 

I'm trying to configure outbound SNAT based on destination address.

 

 

 

I have three vlan on my f5.

 

For example, my vlan is public, front-end and back-end vlan.

 

 

 

I want to initiate outbound communication from front-end vlan to internet on public vlan.

 

I found I can use SNAT for it. And it work very well.

 

 

 

So if I initiate communication from front-end to back-end vlan. It use SNAT too.

 

But I don't want to use SNAT when communication from front-end to back-end vlan.

 

 

 

I'm want to use this iRule for solve this problem. But i don't know if this is the correct way to do it.

 

 

 

 

when CLIENT_ACCEPTED {

 

if { [class match [IP::server_addr] equals private_net]} {

 

forward

 

} else {

 

snat 40.x.x.40

 

}

 

}

 

}

 

 

 

 

Anyone could suggest some example iRules?

 

application delivery
dev
devops
iRules

2 Replies

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Mar 08, 2012
    Hi Thananchai,

     

    You will need to use [IP::local_addr] instead of [IP::server_addr]. This is because [IP::server_addr] is used when the server side connection is already established. This is not established on the CLIENT_ACCEPTED event.

     

     

     

    I hope this helps,

     

    Bhattman