For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mohanad's avatar
Mohanad
Icon for Cirrostratus rankCirrostratus
Jul 30, 2019
Solved

iRule for Conditional SNAT

i need to configre iRule for Conditional SNAT while (10.10.10.1 & 10.10.10.2) connecting to the VS SNAT will be 10.214.214.148 and the rest of clients the SNAT will be 10.214.214.147

current setup:

snat pool "DPG-147" = 10.214.214.147 & i have another snat pool "DPG-148" = 10.214.214.148

ltm virtual DPG-Staging-5006 
  description Cube
  destination 192.168.30.147:pxc-spvr
  ip-protocol tcp
  mask 255.255.255.255
source 0.0.0.0/0
  source-address-translation 
    pool DPG-147
    type snat

Thanks

Mohanad

application delivery
BIG-IP
iRules
  • cjunior's avatar
    cjunior
    Jul 30, 2019

    Hi,

    Do you really need the SNAT pool, or you just need to definean IP address to SNAT on iRule?

    e.g.

    # Classic syntax
when CLIENT_ACCEPTED {
    if { [IP::client_addr] eq "10.10.10.1" || [IP::client_addr] eq "10.10.10.2" } {
        snat 10.214.214.148
    } else {
        snat 10.214.214.147
    }
}
 
# Short way
when CLIENT_ACCEPTED {
    if { "10.10.10.1, 10.10.10.2" contains [IP::client_addr] } {
        snat 10.214.214.148
    } else {
        snat 10.214.214.147
    }
}
 
# Expansive way, increase list when needed
when CLIENT_ACCEPTED {
    switch [IP::client_addr] {
        10.10.10.1 -
        10.10.10.2 {
            snat 10.214.214.148
        }
        default {
            snat 10.214.214.147
        }
    }
}

    You must change line from "snat <IP ADDR>" to "snatpool <POOLNAME>" if you need to use a SNAT pool.

    I hope it helps.

4 Replies

  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Jul 30, 2019

    Hi,

    Do you really need the SNAT pool, or you just need to definean IP address to SNAT on iRule?

    e.g.

    # Classic syntax
when CLIENT_ACCEPTED {
    if { [IP::client_addr] eq "10.10.10.1" || [IP::client_addr] eq "10.10.10.2" } {
        snat 10.214.214.148
    } else {
        snat 10.214.214.147
    }
}
 
# Short way
when CLIENT_ACCEPTED {
    if { "10.10.10.1, 10.10.10.2" contains [IP::client_addr] } {
        snat 10.214.214.148
    } else {
        snat 10.214.214.147
    }
}
 
# Expansive way, increase list when needed
when CLIENT_ACCEPTED {
    switch [IP::client_addr] {
        10.10.10.1 -
        10.10.10.2 {
            snat 10.214.214.148
        }
        default {
            snat 10.214.214.147
        }
    }
}

    You must change line from "snat <IP ADDR>" to "snatpool <POOLNAME>" if you need to use a SNAT pool.

    I hope it helps.

  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for Noctilucent rankNoctilucent
    Jul 30, 2019

    Hello.

    I would use also one the cjunior irules, but take into account that it's possible to configure this directly without iRule using 2 virtuals with different source ip. For example.

    ltm virtual DPG-Staging-5006
	description Cube
	destination 192.168.30.147:pxc-spvr
	ip-protocol tcp
	mask 255.255.255.255
	source 0.0.0.0/0
	source-address-translation
	pool DPG-147
	type snat
 
ltm virtual DPG-Staging-5006_2
	description Cube
	destination 192.168.30.147:pxc-spvr
	ip-protocol tcp
	mask 255.255.255.255
	source 10.10.10.0/30
	source-address-translation
	pool DPG-148
	type snat

    REF - https://support.f5.com/csp/article/K14800

    Also using policies.

    REF - https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/local-traffic-policies-getting-started-12-1-0/1.html

    KR,

    Dario.