For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

done_23947's avatar
done_23947
Icon for Nimbostratus rankNimbostratus
May 05, 2015

iRule help w/ no snat for public DMZ

I've been using a irule for several yrs and believe it works as intended. I don't change or snat public DMZ networks (neiu_dmz_subnets). I need to add another DMZ public network (ATT_DMZ) that I don't want to snat (keep the system's public IP address). First matchclass "neiu_dmz_subnets" our current public DMZ's working but second matchclass "ATT_DMZ" not working, changing IP address. Why? should I just add a "snat none"?

} elseif { [matchclass [IP::client_addr] equals neiu_dmz_subnets]} {

Data Grp 66.99.13.0/24 forward pool ISP_routers member 64.107.163.129 } elseif { [matchclass [IP::client_addr] equals ATT_DMZ]} { Data Grp 12.239.13.193-255 forward pool ISP_routers member 12.239.13.129 } else { snat automap return }

application delivery
devops
iRules

9 Replies

  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    May 06, 2015

    can you post ATT_DMZ data group?

     tmsh list ltm data-group internal ATT_DMZ
    • done_23947's avatar
      done_23947
      Icon for Nimbostratus rankNimbostratus
      May 06, 2015
      I'll try 12.239.13.192/26 later today and let you know, thanks again.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 06, 2015

    can you post ATT_DMZ data group?

     tmsh list ltm data-group internal ATT_DMZ
    • done_23947's avatar
      done_23947
      Icon for Nimbostratus rankNimbostratus
      May 06, 2015
      I'll try 12.239.13.192/26 later today and let you know, thanks again.
  • done_23947's avatar
    done_23947
    Icon for Nimbostratus rankNimbostratus
    May 06, 2015
    Thanks for the help. ATT_DMZ data grp is 12.239.13.193/255.255.255.192.
  • done_23947's avatar
    done_23947
    Icon for Nimbostratus rankNimbostratus
    May 06, 2015
    [root@lc2:Active] config tmsh list ltm data-group internal ATT_DMZ 01020036:3: The requested class (internal) was not found. ltm data-group ATT_DMZ { records { 12.239.113.193/26 { } } type ip } [root@lc2:Active] config
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 06, 2015

    ATT_DMZ data grp is 12.239.13.193/255.255.255.192.

    i think it should be 12.239.13.192/255.255.255.192.

    root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) create ltm data-group internal ATT_DMZATT_DMZ type ip records add { 12.239.13.193/255.255.255.192 }
01070655:3: Invalid address and mask 12.239.13.193 and 255.255.255.192. Address must equal address & mask.
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos)
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos)
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) create ltm data-group internal ATT_DMZATT_DMZ type ip records add { 12.239.13.192/255.255.255.192 }
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal ATT_DMZATT_DMZ
ltm data-group internal ATT_DMZATT_DMZ {
    records {
        12.239.13.192/26 { }
    }
    type ip
}
  • done_23947's avatar
    done_23947
    Icon for Nimbostratus rankNimbostratus
    May 06, 2015
    Sorry I was testing w/ a host address also and had a typo. [root@lc2:Active] config tmsh list ltm data-group internal ATT_DMZ 01020036:3: The requested class (internal) was not found. ltm data-group ATT_DMZ { records { 12.239.13.193/26 { } } type ip } [root@lc2:Active] config