Forum Discussion
Jliz_44390
Nimbostratus
NimbostratusMatching Source and Destination for NAT
I've let this simple problem drive me nuts now for a day and half and I've yet to find the solution.
I'm trying to NAT when a request is made from a server behind the LB to a VIP on the same LB. All other traffic except this specific source to destination network I want to leave unchanged.
I have real servers on 10.100.104.x/24 and the VIPs are on 10.100.100.x/24.
I figured this iRule thing can't be to difficult so I started reading up. I think I'm close so if someone could shed some light at where I screwed up that would be great.
Here is what I have so far.
when LB_SELECTED {
if {[IP::addr [IP::client_addr]/24 equals 10.100.104.0] } { [IP::server_addr]/24 equals 10.100.100.0]}
snat automap
}
Thanks in advance for the help.
-John
4 Replies
- You can set up a selective SNAT instead of using an iRule.
Enable SNAT AutoMap on at least one floating self-IP address on the egress VLAN.
Then create a new SNAT, with the following settings:
-Translation: Automap
-Origin: Address List
--Type: Network
--Address: 10.100.104.0
--Mask: 255.255.255.0
-Enabled on: At least the egress VLAN
And finally, if the traffic will traverse a pool, ensure that "Allow SNAT" is still enabled on that pool. (Enabled by default)
That will translate all connections originating from the address list to the automap address, and all other connections will go un-SNAT'd.
/deb 
Esa_Kuusisto_27Hi
I have same kind of problem. I have two private networks in different vlans, example 10.10.10.0/24 and 10.10.11.0/24. I have in both networks. In network 10.10.10.0/24 are server what I want allow Internet access (third vlan, public). If I make SNAT rule like up connection between VLANs work, but no Internet connection. If I enable SNAT in vlans 10.10.10.0/24 and publicIPaddressVLAN servers can go to Internet but cannot made connections between private networks. Or connections started from 10.10.11.0/24 vlan to 10.10.10.0/24 vlan works but not other way.
hoolioCirrostratus
You could pass traffic through the BIG-IP more programmatically by creating a forwarding IP virtual server with a fastL4 profile. You can then conditionally forward requests based on source IP or network and/or destination IP or network.
Here's an example: Click here
If that's overkill for your requirements, you could trim out the classes and just forward based on IP or network using the IP::addr command (Click here).
Also, you can apply source address translation to a specific connection with the snat command (http://devcentral.f5.com/wiki/default.aspx/iRules/snat.html).
Aaron- Esa_Kuusisto_27
Hi
Thanks for the help. With examples I made a simple iRule:when CLIENT_ACCEPTED { if { ( [matchclass [IP::client_addr] equals $::NattedNetwork] ) and [matchclass [IP::remote_addr] equals $:rivateNetwork]}{ forward } elseif { [matchclass [IP::client_addr] equals $::NattedNetwork] }{ snat automap } else { forward } }
Class NattedNetwork is network where I do not want to use SNAT and class PrivateNetwork is network where I want to NAT in certain cases.
-Esa
PS. I know, last else with forward is not needed
