Forum Discussion
freman_200486
Nimbostratus
NimbostratusiRule matching destination address using VPN
Hello,
I have a F5 running LTP/APM and I'm using the EDGE-client for SSL-VPN. As it is now I'm using a full tunnel since I have both outside and inside of the F5 connected to a firewall.
Right now i SNAT and everything works fine but I would like to SNAT traffic to the outside (internet) and use NO SNAT to the inside networks. (all private networks)
I have found examples where I sort traffic based on the source (client) but I want to check if the resource the vpn-connection is trying to reach is a private address and if so use NO SNAT and if the resource is a public address then use SNAT.
In my example I have IP::client_addr which returns the address my client is coming from. But I want to see the address I'm going to, through the vpn-tunnel.
I get address 192.168.100.200 on my tunnel-interface on my client. When I try to reach for example www.sunet.se (192.36.171.231) I want to get that IP and match it against the private networks and if it's a match - no nat and otherwise nat.
Am I being confusing? 🙂
Iv'e been broswing around the iRule reference but can't find anything that suite my needs. I can get my public IP outside the tunnel, i can get the ip of the VS im connected to, I can get the IP my tunnel-interface has but I can't get the destination Ip. Is it possible?
Best regards,
// Fredrik
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] or
[IP::addr [IP::client_addr] equals 192.168.0.0/16] or
[IP::addr [IP::client_addr] equals 172.16.0.0/12] } {
snat none
}
else {
snat automap}
}
- Kai_Wilke
MVP
Hi Fremann,
you have to change [IP::client_addr] (src_addr) to [IP::local_addr] (dst_addr).
Note: To see the available IP addreses, you could implement some debug code to write every [IP::x_addr] command into your logfiles.
when CLIENT_ACCEPTED { if { [catch { log -noname local0.debug "Client_Addr: [IP::client_addr]" }]} then { log -noname local0.debug "Client_Addr: Not available" } if { [catch { log -noname local0.debug "Server_Addr: [IP::server_addr]" }]} then { log -noname local0.debug "Server_Addr: Not available" } if { [catch { log -noname local0.debug "Local_Addr: [IP::local_addr] " }]} then { log -noname local0.debug "Local_Addr: Not available" } if { [catch { log -noname local0.debug "Remote_Addr: [IP::remote_addr]" }]} then { log -noname local0.debug "Remote_Addr: Not available" } }Cheers, Kai
freman_200486Hello Kai,
I have used log local0. to see what the following are returning: [IP::remote_addr], [IP::client_addr], [IP::local_addr]
In my case I get the following:
[IP::remote_addr] = 193.108.5.* (public address of the client having the edge-client installed) [IP::client_addr] = 193.108.5.* (same address as above) [IP::local_addr] = 192.165.58.* (address of the VS the edge-client is connecting to)What I can't see is the IP of the site I'm browsing to through the tunnel. If I open a browser and go to www.sunet.se I still get the same IP's returned from [IP::remote_addr], [IP::client_addr], [IP::local_addr].
I'd like to see the address of the site I'm connecting to 192.36.171.231 so I can use that as a matching condition in my iRule.
Any other tips on how to get this information in an iRule?
Regards
// Fredrik
- Kai_Wilke
Hi Freman,
it seems that the iRule is not triggered for the traffic passing through the tunnel.
I've asked Google and got the response back, that you have to assign the iRule as a "related-rule" to enable it for the Network Access tunnel-listener...
tmsh modify ltm virtual YOUR_VS_NAME related-rules { YOUR_RULE_NAME }
Cheers, Kai
- freman_200486
Hello again,
I tried your suggestion above but I get no hits on the iRule when I look at my logging.
Might try to do a partition and a route-domain and connect that to my firewall. Then the F5 can still be the termination point for my vpn and I do NO NAT and then let the firewall do the natting externally instead.
It would be nice though to be able to sove this in the F5 anyway. :)
Thank you for your help so far :)
Regards
// Fredrikk
- Kai_WilkeHi Freman, The available information on the rather new "related-rules" command and the valid usecases are almost non-existent. So you may ask the F5 support for further assitence and keep us then updated... :-) Cheers, Kai
- freman_200486
I will pass the question on and as soon as I know more I will post i here :)
Cheers, Fredrik
- Kai_WilkeGreat! Good luck! ;-)
Piotr_Bratkows3Hello,
Any findings in that matter? I've tried to setup this in my lab, but it's not working at all:/
Regards, Piotr
danielpenna_196This is exactly what we are needing at the moment. Did you get this resolved freman ?
- Kai_Wilke
Hi Daniel,
I guess the problem of this topic is related to an already fixed APM issue, which had cause APM to ignore the "related-rules" settings of the connected virtual server.
So you may try the [catch] [log] iRule below and then bind this iRule using the command below...
tmsh modify ltm virtual YOUR_VS_NAME related-rules { YOUR_RULE_NAME }
Cheers, Kai
