For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MDPF5_152674's avatar
MDPF5_152674
Icon for Altostratus rankAltostratus
May 12, 2014

iRule for Snat pool association

Hi Community, i want to realize an iRule that matches the Client ip address(when Client Accepted) with a list of subnets . If it matches, then associate the ip address to a Snat address(forced), if the ip address doesn't belongs to the subnets then no snat is applied. Sorry for my English

 

the Subnets that the snat will be applied are : 192.168.0.0/24,1.0/24,13.0/24,40.0/24 and many more all in the 192.168.x.x class

 

Is it Possible ?

 

Thanks in Advance

 

Regards MDP. :)

 

application delivery
deployment
devops
iRules
LTM
performance

3 Replies

  • Henrik_Gyllkran's avatar
    Henrik_Gyllkran
    Icon for Nimbostratus rankNimbostratus
    May 12, 2014

    Yes this is most certainly possible. Myself I'm awfully partial to using Data Groups, so if you create a Data group containing the subnets you need to snat, let's call it snatted_subnets and then you could use the following iRule:

    when CLIENT_ACCEPTED {
   if {class match [IP::client_addr] equals snatted_subnets]}[
      snatpool your_snatpool_name
   }
}
  • MDPF5_152674's avatar
    MDPF5_152674
    Icon for Altostratus rankAltostratus
    May 12, 2014

    Ok Thanks for the answers. Now i have another question...if i want to parse the IP address and pass it to snat address like this :

    192.168.0.0--> 10.168.x.x

    How can i implement it?

    when CLIENT_ACCEPTED { set xyz [findstr [IP::client_addr] 4 ] ltm data-group internal SnatAddress { records { 192.168.0.0/24 {} 192.168.1.0/24 {} 192.168.3.0/24 {} 192.168.6.0/24 {} 192.168.11.0/24 {} 192.168.12.0/24 {} 192.168.13.0/24 {} 192.168.30.0/24 {} 192.168.40.0/24 {} 192.168.200.0/24 {} 192.168.254.0/24 {}

    } 
type ip

    }

    Check if the client IP address is a member of the address data group named Hosts

    if { [matchclass [IP::client_addr] equals SnatAddress]} {

         set xyz "dieci"


switch $xyz {
               "dieci" { snat 10.$xyz }
                }
   }

    else { discard } } return

    }

    }

    Default action is to not SNAT

    snat none

    Is it possible?

  • Henrik_Gyllkran's avatar
    Henrik_Gyllkran
    Icon for Nimbostratus rankNimbostratus
    May 12, 2014

    I'm not sure I understand you correctly, do you want to keep the three last octects in the IP address and use as a SNAT address - so if the source address is 192.168.0.32 you want the SNAT address to be 10.168.0.32. Is that what you want to do?

     

    If so, yes it can be done but it's not a very realistic approach. The first part is simple, calculating an address to be used as a SNAT address is very simple. The tricky part however is that it's not enough to just use "snat 10.$xyz" because the BIG-IP needs to have an ownership of that address, otherwise it will not respond to ARP requests for that address which means that the response traffic will never be sent to the BIG-IP. Typically that is solved by adding the possible SNAT addresses to a snatpool but if you want individual SNAT addresses for all source addresses the snatpool will be HUGE!

     

    If on the other hand you want 192.168.0.0/24 to be translated to one SNAT address, 192.168.1.0/24 to translated to another address and so on, that is quite feasible because we don't need thousands of addresses in the snatpool. So can you clarify your scenario?