Forum Discussion
Looking for an iRule that will take the same IP from SNAT Pool as that of the source IP.
Hi all,
I am trying to set up a client VPN on F5 with SNAT pool enabled.
That is (scenario): When BIG IP VPN client hits the virtual server ( where SNAT is enabled with SNAT pool). It chooses a random IP from the SNAT pool to leave the F5 using its self-IP interface, toward my firewall which is behind F5, and from the firewall to the destination server. Hence, the source IP becomes one of the random IPs from the SNAT pool (and not the actual VPN client IP address) when it reaches the firewall (that is behind my F5).
If I set SNAT automap, it replaces the source IP as the self-IP address of the F5 and when it reaches my firewall, the source IP is the F5 self-IP address and not the BIG IP VPN client IP.
My goal is to retain the source IP as the BIG IP VPN client. Is there a way or irule to achieve that?
Saw a irule i don't know if that will work :
when CLIENT_ACCEPTED {
switch -glob [IP::local_addr] {
"17216.48.10" { snat 17216.48.10 }
"17216.48.11" { snat 17216.48.11 }
"17216.48.12" { snat 17216.48.12 }
"17216.48.13" { snat 17216.48.13 }
*AND SO ON TILL THE LEASE SUBNET, that a long list of IPs mapped one to one*
}}
Regards,
Zanoob
You can disable or enable SNAT at the network access level in the APM, this will let the user connected through network access client go to the target network with the IP from the NA lease pool
- ZANOOBCirrus
Hello Kadimi,
Thank you for your reply. I would have done the same solution if my F5 had a self-IP from all the subnets in my org, and reached out to the backend subnets.
My design is to send all client VPN traffic to a gateway, which is a design provided by F5 with a KB K18487629 . Which provides this, buy sending all client VPN traffic to a gateway (firewall).
However, this does not happen unless i enable SNAT automap or SNAT with SNAT pool.
SNAT automap uses self ip to for all client IP addresses (meaning replaces source IP with F5 self IP for all clients). SNAT pool chooses the pool of IP from the SNAT pool list.
hence, checking for an irule . Also have raised a feature request with F5 for this, so the source IP remains as it is. I was able to get an irule working but had to it for the entire subnet of IP.
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 172.16.48.10/32] }{snat 172.16.48.10}
if { [IP::addr [IP::client_addr] equals 172.16.48.11/32] }{snat 172.16.48.11}
if { [IP::addr [IP::client_addr] equals 172.16.48.12/32] }{snat 172.16.48.12}
.
.
.
till end of subnet- a long one but was looking if someone had a better irule.
}
I am confused with your goals. There is no need for K18487629 unless you have to route NA traffic to a different gateway than the one followed by default without K18487629. You didn't mention what is exactly your design objective. If you only need to retain the client lease source IP, then there is no need for K18487629 nor for the iRule, you only disable SNAT and configure the routing on your network to route traffic destined to lease pool subet through F5.
- ZANOOBCirrus
That is correct, that is what I thought too.
It did not work (disabled SNAT and added static route), simple way of adding a route and sending traffic to a specific IP/gateway when SNAT is disabled. It did not work with client VPN traffic. Normal traffic it worked, but with client VPN traffic it was not forwarding the traffic using the routing table.
Hence, opened a ticket with support and they confirmed if I needed to send the CL VPN to a specific gateway i had to follow the KB article. Once I configured using the KB, it was sending the traffic to the gateway (however, had to enable SNAT there).
My goal is simple: CL VPN clients' packets to be forwarded to a gateway and to retain the source IP.
Methods tried:
1. SNAT disabled, used static route to forward traffic ( Does not work for VPN client traffic).
2. Followed KB as per support, however only works with SNAT enabled (SNAT disabled it does not work, have raised a ticket with support for the same and they are in touch with the engineering team to add a feature).
Workaround:
1. Add the SNAT pool IP (to the virtual server) same subnet as of lease IP ( however, the SNAT pool IP will not be the same as Client VPN IP).
2. Add irule in place to match with the current CL VPN client IP to a SNAT IP ( I am using this at the moment and it works . Confirmed with logs). The irule in place is
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 172.16.50.1/32] }{snat 172.16.50.1}
if { [IP::addr [IP::client_addr] equals 172.16.50.2/32] }{snat 172.16.50.2}
if { [IP::addr [IP::client_addr] equals 172.16.50.3/32] }{snat 172.16.50.3}
if { [IP::addr [IP::client_addr] equals 172.16.50.4/32] }{snat 172.16.50.4}
if { [IP::addr [IP::client_addr] equals 172.16.50.5/32] }{snat 172.16.50.5}
if { [IP::addr [IP::client_addr] equals 172.16.50.6/32] }{snat 172.16.50.6}}
But the above irule i have to create for every IP i got to match it to an SNAT IP.
Is there a logical irule to match the third and fourth octet of the client IP to the SNAT IP?
Regards,
Zanoob
Have you tried something like:
set client_addr [IP::client_addr] snat $client_addr
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com