F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Jason_Roppolo_3's avatar
Jason_Roppolo_3
Historic F5 Account
May 14, 2006

iRules and SNAT

All,     I was wondering if I could get some assistance with an issue:     I have a rather large customer that is trying to replace several Alteon Switches, but we are having one issue. T...
application delivery
dev
devops
iRules
Deb_Allen_18's avatar
Deb_Allen_18
Historic F5 Account
May 15, 2006
Interesting twist -- I've never had to SNAT on specific destination IPs through a forwarding virtual server (no defined local address, and the destination addresses are not local objects either.)

To match only specific source IPs, you can create the SNATpool with the same origin filter as above.

To limit the SNAT to only specific destination IPs, I'm thinking the rule would be something like:

when CLIENT_ACCEPTED {
  log local0. "Local address is [IP::local_addr]"
  if {[IP::addr [IP::local_addr] equals x.x.x.0/24] ) {
    snatpool mySNATpool
  }
}
(I'm not 100% certain which IP command would pick up the destination address passing through a forwarding virtual. I'm guessing that it must be "local_addr", but I don't have a way to test a forwarding virtual, so I added a log line to help figure that out.)

You can use a class of type network to list the destination addresses which are SNAT candidates:

class BounceBackSNAT {
  "x.x.x.a"
  "z.z.x.0 netmask 255.255.255.0"
}
when CLIENT_ACCEPTED {
  if {[IP::addr [IP::local_addr] equals $::BounceBackSNAT] ) {
    snatpool mySNATpool
  }
}

Does that sound more like what you were going for?

/deb