For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Vsevolod_Petrov's avatar
Vsevolod_Petrov
Icon for Cirrostratus rankCirrostratus
May 13, 2015

irule to enable snat on Network Access SSL VPN

Hi all,

I need an advice how to proceed with snat configuration on my specific scenario.

I would really appreciate your help.

I've got an APM and SSL VPN configured on top of it.

I use split tunnelling to access private corporate networks.

There's no snat configured on the Networks Access List Setings tab as we need to see IP address of the connected client.

But there's specific network where all hosts have different default gateway configured and my big-ip has a leg on this net.

So, I need to perform snat when VPN Client tries to communicate with hosts in this network.

I tried to use the following irule:

when CLIENT_ACCEPTED {
 if {[IP::addr [IP::local_addr] equals 192.168.200.0/255.255.255.0]}{
  snatpool /Common/dmz1-snatpool
 } else {
  return
 }
}

But had no luck. As I found from tcpdump there's specific listener called _tmm_apm_fwd_vip that proccesses decapsulated packets from VPN clients.

Is there any way solve this with irules?

Maybe there's another event in the traffic flow I should use?
application delivery
BIG-IP Access Policy Manager (APM)
design
devops
iRules
security
TMOS

1 Reply

  • Vsevolod_Petrov's avatar
    Vsevolod_Petrov
    Icon for Cirrostratus rankCirrostratus
    May 15, 2015

    Hi,

     

    It turned to a very simple and obvious solution. I just have to create a more specific VS with my source and destination and enable snat on it. Awesome!

     

    Thanks Ope from EMEA office for returning me back to reality!