Irule SNAT based on destination IP address.

Question

Hi there, I am looking to create an Irule SNAT for outbound requests to a specific IP address. So when source = X and destination = Y then use the SNAT. I have seen various other similar methods on here using DNS etc but wanted to find out if anybody had done this before. How would you define the destination address in the Irule.  
&nbsp; Many thanks  
&nbsp; Mark

dj_23086 · Accepted Answer

I believe you would need IP::local_addr in this instance for the destination, and I think you have the irule in the right place.   
 I'm running some similar SNAT's at the moment, but I had some odd issues.   
 Here's the same thing (there may be more efficient ways of doing this...), but using datagroups and an snat pool instead of a single snat.  I had some issues using a single snat in my config, but it worked fine using an snatpool consisting of a single snat IP.   
 This will match any source IP in datagroup webserver_datagroup, where the destination is in external_servers, and snat it to the address(es) in snat_pool_1

when CLIENT_ACCEPTED { 
 set failed 0 
 if {[matchclass [IP::client_addr] equals $::webserver_datagroup] \ 
              and [matchclass [IP::local_addr] equals $::external_servers]}{ 
 use snatpool snat_pool_1 
 } 
 }

the_bhattman · Answer

Hi Mark,  
&nbsp;        
&nbsp; Here is an example in the wiki section of this site 
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/snat.html 
&nbsp;  
&nbsp; Hope this helps, 
&nbsp; Chetan &nbsp;

markj_58101 · Answer

Thanks for the response.   
&nbsp; I am trying to do the Irule SNAT based on the destination IP address so I changed your example in the Wiki from this:  
&nbsp; when CLIENT_ACCEPTED {  
&nbsp; if { [IP::addr [IP::local_addr] equals 10.10.10.0/24] }{  
&nbsp; snat 10.136.77.62  
&nbsp; }  
&nbsp; }  
&nbsp; To this:  
&nbsp; when CLIENT_ACCEPTED {  
&nbsp; if { [IP::addr [IP::remote_addr] equals 212.212.50.50/32] }{  
&nbsp; snat 10.136.77.62  
&nbsp; }  
&nbsp; }  
&nbsp; Adding in the remote_addr section.  
&nbsp; I did a tcpdump on the outside interface of the F5 and it's not translating. To give some backgroud on this, I also have an IP forwareder setup to allow the web servers behind the LTM to make outbound connections so normally they come from their real address. So what I am trying to achieve is to have any of normal web servers to use the IP forwader to make outbound connections and not get SNAT'd but when a specific web servers makes outbound connections to a specific public IP address then it must get SNAT'd. The reason I have the IP forwader in place is because there is also a Site to Site VPN on the Firewalls in front of the LTM's so they need to come from their real address when going across the VPN.    
&nbsp; I am applying the Irule to the IP Forwader, is that the correct place to be applying it?

markj_58101 · Answer

Thanks, I will give it a try. 
&nbsp;  
&nbsp; Mark

Forum Discussion

Irule SNAT based on destination IP address.

4 Replies

Recent Discussions

Enterprise Security best practices with F5 WAF

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

Related Content

Destination address at F5

Decoding the IPv4 address from the persistence cookie

CSV to Address External Datagroup File

iRules Style Guide

DESTINATION HOST UNREACHABLE