F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Jason_Roppolo_3's avatar
Jason_Roppolo_3
Historic F5 Account
May 14, 2006

iRules and SNAT

All,     I was wondering if I could get some assistance with an issue:     I have a rather large customer that is trying to replace several Alteon Switches, but we are having one issue. T...
application delivery
dev
devops
iRules
Deb_Allen_18's avatar
Deb_Allen_18
Historic F5 Account
May 15, 2006
Local address is a given based on the virtual to which the rule is applied.

This syntax should work:

when CLIENT_ACCEPTED {
  if {[IP::addr [IP::remote_addr] equals x.x.x.x/24] ) {
    snat y.y.y.y
  }
}
This version allows a comparison to a subnet for flexibility. (The appropriate syntax corrections have also been made on the "snat" & "snatpool" wiki pages.)

But actually, you shouldn't really need a rule-- you can enable a selective SNATpool on the forwarding virtual to SNAT only the backend server address range:

Create a SNATpool:

"Translation": SNAT pool

"Origin": Address list. Add host or network address list that covers all the backend hosts that may make requests that need SNATing.

"VLAN Traffic": Enable only on the VLAN(s) hosting the origin addresses. (optional -- gives better control of SNAT)

Apply the SNAT pool created above to your wildcard VS, and it will only SNAT the listed origin addresses, letting all other traffic pass through unSNAT'd.

HTH

/deb