Forum Discussion
Billy_Tolcher_1
Nimbostratus
Nimbostratusisnat configuration - versiion 4.5
please assist -
===============
I have found a lot of information on isnat configurations with 9.0, but there isn't much mention of 4.5 rules anymore.
===============
Architecture:
The BIG-IP is deployed in a multi-arm configuration with 3 arms: vlan 1 external, vlan 2 internal, and vlan 3 ancillary. Traffic originates on both vlan 1 and vlan 2, and server nodes are on vlan 2 and vlan 3.
In the instance where traffic originates on vlan 2 and the server nodes on on vlan 2, I need to have a SNAT configured to translate the address (standard single arm configuration).
Requirements -
Functional on version 4.5 10.
SNAT automap is disabled.
Only traffic passing through the specified virtual server uses the SNAT.
Solution (?) -
The rule that I currently use is below:
if (http_uri contains "server=1") {
use pool 1_pool
}
else if (http_uri contains "server=2") {
use pool 2_pool
}
else if (http_uri contains "server=3") {
use pool 3_pool
}
else {
use pool hr_pool
}
Will this work?
if (http_uri contains "server=1") {
snat 1.2.3.4
use pool 1_pool
}
else if (http_uri contains "server=2") {
use pool 2_pool
}
else if (http_uri contains "server=3") {
use pool 3_pool
}
else {
use pool hr_pool
}
Any assistance is greatly appreciated.
BT
- Billy,
first let me better understand you requirements. They seem to be little bit contradictory (at least to me :-)). In the beginning you describe pretty standard VIP bounce-back configuration, but later (in your desired rule example) you show a selective SNAT based on content of HTTP URI. Do you really need the SNAT to be triggered based on the presence of "server=1" in the URI, or is it enough to trigger it based on VLAN and source address (which is enough for the bounce-back to work)?
For the standard bounce you can use following configuration:snat map { to vlans vlan1 vlan3 disable } snat netmask
If you really need to tie the SNAT to the rule, you can use (as unRuleY called it) YASF (Yet Another Stealth Feature) called snatpool. Your configuration may look like this:snatpool snat_on_vlan2 { member 1.2.3.4 } if (http_uri contains "server=1") { use pool 1_pool use snatpool snat_on_vlan2 } else if (http_uri contains "server=2") { use pool 2_pool } else if (http_uri contains "server=3") { use pool 3_pool } else { use pool hr_pool }
The configuration system will automagically add following statement to your config:snat translation 1.2.3.4
Please, keep in mind that snatpools are stealth, undocumented and hence also unsupported feature in v4.x. 
Billy_Tolcher_1Sorry for the confusion in my earlier post. I do want to tie the snat to the rule, and I do want to use it based on the source address!
There is a default snat already configured on the big-ip to handle traffic going to the 3rd VLAN as the target nodes on that vlan have a default gateway other than the big-ip.
I want to bypass that default snat with one that recognizes the source ip address range, and then maps the snatpool based on that result. However, the rule would still need to be able to parse the http uri for matches, and route the requests appropriately.
Thanks for the help,
BT
