Forum Discussion

Nimbostratus

Jun 01, 2009

Irule SNAT based on destination IP address.

Hi there, I am looking to create an Irule SNAT for outbound requests to a specific IP address. So when source = X and destination = Y then use the SNAT. I have seen various other similar methods on he...

DJ_23086
Jun 08, 2009
I believe you would need IP::local_addr in this instance for the destination, and I think you have the irule in the right place.

I'm running some similar SNAT's at the moment, but I had some odd issues.

Here's the same thing (there may be more efficient ways of doing this...), but using datagroups and an snat pool instead of a single snat. I had some issues using a single snat in my config, but it worked fine using an snatpool consisting of a single snat IP.

This will match any source IP in datagroup webserver_datagroup, where the destination is in external_servers, and snat it to the address(es) in snat_pool_1

when CLIENT_ACCEPTED { set failed 0 if {[matchclass [IP::client_addr] equals $::webserver_datagroup] \ and [matchclass [IP::local_addr] equals $::external_servers]}{ use snatpool snat_pool_1 } }

markj_58101

Nimbostratus

Jun 02, 2009

Thanks for the response.

I am trying to do the Irule SNAT based on the destination IP address so I changed your example in the Wiki from this:

when CLIENT_ACCEPTED {

if { [IP::addr [IP::local_addr] equals 10.10.10.0/24] }{

snat 10.136.77.62

}

To this:

when CLIENT_ACCEPTED {

if { [IP::addr [IP::remote_addr] equals 212.212.50.50/32] }{

snat 10.136.77.62

}

Adding in the remote_addr section.

I did a tcpdump on the outside interface of the F5 and it's not translating. To give some backgroud on this, I also have an IP forwareder setup to allow the web servers behind the LTM to make outbound connections so normally they come from their real address. So what I am trying to achieve is to have any of normal web servers to use the IP forwader to make outbound connections and not get SNAT'd but when a specific web servers makes outbound connections to a specific public IP address then it must get SNAT'd. The reason I have the IP forwader in place is because there is also a Site to Site VPN on the Firewalls in front of the LTM's so they need to come from their real address when going across the VPN.

I am applying the Irule to the IP Forwader, is that the correct place to be applying it?

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Irule SNAT based on destination IP address.

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Virtual Server to maintain the same destination port to the backend

Can two virtual servers share the same destination IP/destination Port and Service if the source subnet is different?

Custom error page iRule with IP address filtering

iRule - Restricting IP addresses for a portion of URI

Virtual Server Destination address

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS