For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

benlui_9160's avatar
benlui_9160
Icon for Nimbostratus rankNimbostratus
Sep 08, 2009

NAT for whole internal subnet

I am using BIG-IP HA pair with 2 segments, external (203.194.252.x) and internal (192.168.0.x).     bigip has 1 floating ip (203.194.252.123)   my internal hosts need to access externa...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Sep 17, 2009
You can't restrict the destination IP addresses with a SNAT itself. But you could use packet filters to limit which destination addresses/subnets/ports the SNAT translation IP can connect to. You can check the LTM config guide for your version for details on packet filters.

 

 

Or you could use a forwarding virtual server with a FastL4 profile. With a forwarding VIP you can use an iRule to restrict source and destination subnets/hosts/ports. There are a few examples of this in the Codeshare (Click here):

 

 

AccessControlBasedOnIP - This iRule forwards traffic based on "trusted" source addresses.

 

AccessControlBasedOnNetworkOrHost - This iRule allows administrators to allow or deny access to a virtual server based IP/networks and ports.

 

 

Aaron