iRule matching destination address using VPN

Question

Hello,
I have a F5 running LTP/APM and I'm using the EDGE-client for SSL-VPN. As it is now I'm using a full tunnel since I have both outside and inside of the F5 connected to a firewall.
Right now i SNAT and everything works fine but I would like to SNAT traffic to the outside (internet) and use NO SNAT to the inside networks. (all private networks)
I have found examples where I sort traffic based on the source (client) but I want to check if the resource the vpn-connection is trying to reach is a private address and if so use NO SNAT and if the resource is a public address then use SNAT.
In my example I have IP::client_addr which returns the address my client is coming from. But I want to see the address I'm going to, through the vpn-tunnel.
I get address 192.168.100.200 on my tunnel-interface on my client. When I try to reach for example www.sunet.se (192.36.171.231) I want to get that IP and match it against the private networks and if it's a match - no nat and otherwise nat.
Am I being confusing? 🙂
Iv'e been broswing around the iRule reference but can't find anything that suite my needs. I can get my public IP outside the tunnel, i can get the ip of the VS im connected to, I can get the IP my tunnel-interface has but I can't get the destination Ip. Is it possible?
Best regards,
// Fredrik
&nbsp;
when CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] or
  [IP::addr [IP::client_addr] equals 192.168.0.0/16] or
   [IP::addr [IP::client_addr] equals 172.16.0.0/12] } {
   snat none 
  }
   else {
  snat automap}
}

&nbsp;

kai_wilke · Answer

Hi Fremann,
you have to change [IP::client_addr] (src_addr) to [IP::local_addr] (dst_addr).
Note: To see the available IP addreses, you could implement some debug code to write every [IP::x_addr] command into your logfiles.
&nbsp;
when CLIENT_ACCEPTED {
    if { [catch {
        log -noname local0.debug "Client_Addr: [IP::client_addr]"
    }]} then {
        log -noname local0.debug "Client_Addr: Not available"
    }
    if { [catch {
        log -noname local0.debug "Server_Addr: [IP::server_addr]"
    }]} then {
        log -noname local0.debug "Server_Addr: Not available"
    }
    if { [catch {
        log -noname local0.debug "Local_Addr: [IP::local_addr] "
    }]} then {
        log -noname local0.debug "Local_Addr: Not available"
    }
    if { [catch {
        log -noname local0.debug "Remote_Addr: [IP::remote_addr]"
    }]} then {
        log -noname local0.debug "Remote_Addr: Not available"
    }
}

&nbsp;
Cheers, Kai

freman_200486 · Answer

Hello Kai,
I have used log local0. to see what the following are returning: [IP::remote_addr], [IP::client_addr], [IP::local_addr]
In my case I get the following:
&nbsp;
[IP::remote_addr] = 193.108.5.* (public address of the client having the edge-client installed)
[IP::client_addr] = 193.108.5.* (same address as above)
[IP::local_addr] = 192.165.58.* (address of the VS the edge-client is connecting to)

&nbsp;
What I can't see is the IP of the site I'm browsing to through the tunnel. If I open a browser and go to www.sunet.se I still get the same IP's returned from [IP::remote_addr], [IP::client_addr], [IP::local_addr].
I'd like to see the address of the site I'm connecting to 192.36.171.231 so I can use that as a matching condition in my iRule.
Any other tips on how to get this information in an iRule?
Regards
// Fredrik

kai_wilke · Answer

Hi Freman,
it seems that the iRule is not triggered for the traffic passing through the tunnel.
I've asked Google and got the response back, that you have to assign the iRule as a "related-rule" to enable it for the Network Access tunnel-listener...
tmsh modify ltm virtual YOUR_VS_NAME related-rules { YOUR_RULE_NAME }
Cheers, Kai

freman_200486 · Answer

Hello again,&nbsp;
I tried your suggestion above but I get no hits on the iRule when I look at my logging. &nbsp;
Might try to do a partition and a route-domain and connect that to my firewall. Then the F5 can still be the termination point for my vpn and I do NO NAT and then let the firewall do the natting externally instead.&nbsp;
It would be nice though to be able to sove this in the F5 anyway. :) &nbsp;
Thank you for your help so far :)&nbsp;
Regards&nbsp;
// Fredrikk&nbsp;

kai_wilke · Answer

Hi Freman,

The available information on the rather new "related-rules" command and the valid usecases are almost non-existent. So you may ask the F5 support for further assitence and keep us then updated... :-)

Cheers, Kai

Forum Discussion

iRule matching destination address using VPN

10 Replies

Recent Discussions

Issue on license renewal

Viprion files on blades.

redirect not working

active/active Support Declarative Onboarding

Reliable resources for identifying IP addresses

Related Content

CSV to Address External Datagroup File

F5 Distributed Cloud - Service Policy - Header Matching Logic & Processing

Block destination IP by source IP

Increasing accuracy using Bad Actor and Attacked Destination detection

DESTINATION HOST UNREACHABLE