For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MDPF5_152674's avatar
MDPF5_152674
Icon for Altostratus rankAltostratus
May 12, 2014

iRule for Snat pool association

Hi Community, i want to realize an iRule that matches the Client ip address(when Client Accepted) with a list of subnets . If it matches, then associate the ip address to a Snat address(forced), if...
application delivery
deployment
devops
iRules
LTM
performance
Henrik_Gyllkran's avatar
Henrik_Gyllkran
Icon for Nimbostratus rankNimbostratus
May 12, 2014

I'm not sure I understand you correctly, do you want to keep the three last octects in the IP address and use as a SNAT address - so if the source address is 192.168.0.32 you want the SNAT address to be 10.168.0.32. Is that what you want to do?

 

If so, yes it can be done but it's not a very realistic approach. The first part is simple, calculating an address to be used as a SNAT address is very simple. The tricky part however is that it's not enough to just use "snat 10.$xyz" because the BIG-IP needs to have an ownership of that address, otherwise it will not respond to ARP requests for that address which means that the response traffic will never be sent to the BIG-IP. Typically that is solved by adding the possible SNAT addresses to a snatpool but if you want individual SNAT addresses for all source addresses the snatpool will be HUGE!

 

If on the other hand you want 192.168.0.0/24 to be translated to one SNAT address, 192.168.1.0/24 to translated to another address and so on, that is quite feasible because we don't need thousands of addresses in the snatpool. So can you clarify your scenario?