Forum Discussion
Thomas_Knutson_
Nimbostratus
NimbostratusiRule to autonat for specific client subnets
We have a need to have certain client requests use the autonat function, specifically for devices on our internal subnets that call our virtual servers. For example, we want to only use autonat for 10.10.10.0/24 subnet clients, and not use it for everything else. Is this possible with an iRule, or should I be looking down another path? I have been searching the forums, but have not had much luck yet and may be using incorrect search syntax. Would anyone be able to point me in the right direction, or give me an example of some syntax to use?
Tom
4 Replies
Thomas_Knutson_I did some more looking around, and think I may have been able to adapt an iRule to acomplish this. Will the iRule below work, or is there a better way for me to write it?when CLIENT_ACCEPTED {
if { [IP::addr [IP::remote_addr] equals xx.xx.xx.xx/24] } {
snat automap
} elseif { [IP::addr [IP::remote_addr] equals yy.yy.yy.yy/24] } {
snat automap
} elseif { [IP::addr [IP::remote_addr] equals zz.zz.zz.zz/24] } {
snat automap
} else {
return
}
}
hoolioCirrostratus
Hi Thomas,
I'd add the three networks to an address datagroup and then use the class match command to see if the client IP is in the datagroup ranges:when CLIENT_ACCEPTED { Check if the client IP is in the client_ip_class datagroup if {[class match [IP::client_addr] equals client_ip_class]}{ snat automap } }
Aaron- Thomas_Knutson_Aaron,
Great, I will give that a try instead of my original iRule. By using a datagroup, will that cause the iRule to perform better? I'm still getting the hang of these devices, and sometimes am unsure of weather to use a datagroup or not when building rules?
Thomas
- hoolioA class lookup against a datagroup should be more efficient in most cases. See Joe's article here for complete details:
http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086424/Comparing-iRule-Control-Statements.aspx
Aaron
