Forum Discussion

markj_58101's avatar
markj_58101
Icon for Nimbostratus rankNimbostratus
Jun 01, 2009
Solved

Irule SNAT based on destination IP address.

Hi there, I am looking to create an Irule SNAT for outbound requests to a specific IP address. So when source = X and destination = Y then use the SNAT. I have seen various other similar methods on he...
application delivery
dev
devops
iRules
  • DJ_23086's avatar
    DJ_23086
    Jun 08, 2009
    I believe you would need IP::local_addr in this instance for the destination, and I think you have the irule in the right place.

    I'm running some similar SNAT's at the moment, but I had some odd issues.

    Here's the same thing (there may be more efficient ways of doing this...), but using datagroups and an snat pool instead of a single snat. I had some issues using a single snat in my config, but it worked fine using an snatpool consisting of a single snat IP.

    This will match any source IP in datagroup webserver_datagroup, where the destination is in external_servers, and snat it to the address(es) in snat_pool_1 

     
 when CLIENT_ACCEPTED { 
 set failed 0 
 if {[matchclass [IP::client_addr] equals $::webserver_datagroup] \ 
              and [matchclass [IP::local_addr] equals $::external_servers]}{ 
 use snatpool snat_pool_1 
 } 
 }
markj_58101's avatar
markj_58101
Icon for Nimbostratus rankNimbostratus
Jun 02, 2009
Thanks for the response.

 

I am trying to do the Irule SNAT based on the destination IP address so I changed your example in the Wiki from this:

 

when CLIENT_ACCEPTED {

 

if { [IP::addr [IP::local_addr] equals 10.10.10.0/24] }{

 

snat 10.136.77.62

 

}

 

}

 

To this:

 

when CLIENT_ACCEPTED {

 

if { [IP::addr [IP::remote_addr] equals 212.212.50.50/32] }{

 

snat 10.136.77.62

 

}

 

}

 

Adding in the remote_addr section.

 

I did a tcpdump on the outside interface of the F5 and it's not translating. To give some backgroud on this, I also have an IP forwareder setup to allow the web servers behind the LTM to make outbound connections so normally they come from their real address. So what I am trying to achieve is to have any of normal web servers to use the IP forwader to make outbound connections and not get SNAT'd but when a specific web servers makes outbound connections to a specific public IP address then it must get SNAT'd. The reason I have the IP forwader in place is because there is also a Site to Site VPN on the Firewalls in front of the LTM's so they need to come from their real address when going across the VPN.

 

I am applying the Irule to the IP Forwader, is that the correct place to be applying it?