Forum Discussion
markj_58101
Nimbostratus
NimbostratusIrule SNAT based on destination IP address.
Hi there, I am looking to create an Irule SNAT for outbound requests to a specific IP address. So when source = X and destination = Y then use the SNAT. I have seen various other similar methods on here using DNS etc but wanted to find out if anybody had done this before. How would you define the destination address in the Irule.
Many thanks
Mark
- I believe you would need IP::local_addr in this instance for the destination, and I think you have the irule in the right place.
I'm running some similar SNAT's at the moment, but I had some odd issues.
Here's the same thing (there may be more efficient ways of doing this...), but using datagroups and an snat pool instead of a single snat. I had some issues using a single snat in my config, but it worked fine using an snatpool consisting of a single snat IP.
This will match any source IP in datagroup webserver_datagroup, where the destination is in external_servers, and snat it to the address(es) in snat_pool_1when CLIENT_ACCEPTED { set failed 0 if {[matchclass [IP::client_addr] equals $::webserver_datagroup] \ and [matchclass [IP::local_addr] equals $::external_servers]}{ use snatpool snat_pool_1 } }
4 Replies
- The_BhattmanHi Mark,
Here is an example in the wiki section of this site
http://devcentral.f5.com/wiki/default.aspx/iRules/snat.html
Hope this helps,
Chetan 
markj_58101Thanks for the response.
I am trying to do the Irule SNAT based on the destination IP address so I changed your example in the Wiki from this:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::local_addr] equals 10.10.10.0/24] }{
snat 10.136.77.62
}
}
To this:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::remote_addr] equals 212.212.50.50/32] }{
snat 10.136.77.62
}
}
Adding in the remote_addr section.
I did a tcpdump on the outside interface of the F5 and it's not translating. To give some backgroud on this, I also have an IP forwareder setup to allow the web servers behind the LTM to make outbound connections so normally they come from their real address. So what I am trying to achieve is to have any of normal web servers to use the IP forwader to make outbound connections and not get SNAT'd but when a specific web servers makes outbound connections to a specific public IP address then it must get SNAT'd. The reason I have the IP forwader in place is because there is also a Site to Site VPN on the Firewalls in front of the LTM's so they need to come from their real address when going across the VPN.
I am applying the Irule to the IP Forwader, is that the correct place to be applying it?
DJ_23086Altocumulus
I believe you would need IP::local_addr in this instance for the destination, and I think you have the irule in the right place.
I'm running some similar SNAT's at the moment, but I had some odd issues.
Here's the same thing (there may be more efficient ways of doing this...), but using datagroups and an snat pool instead of a single snat. I had some issues using a single snat in my config, but it worked fine using an snatpool consisting of a single snat IP.
This will match any source IP in datagroup webserver_datagroup, where the destination is in external_servers, and snat it to the address(es) in snat_pool_1when CLIENT_ACCEPTED { set failed 0 if {[matchclass [IP::client_addr] equals $::webserver_datagroup] \ and [matchclass [IP::local_addr] equals $::external_servers]}{ use snatpool snat_pool_1 } }- markj_58101Thanks, I will give it a try.
Mark
