Forum Discussion
Fabrizio_Gerard
Nimbostratus
Nimbostratusnetwork to network selective snat
Hi,
In my organization I have the need to source nat a subset of clients.
But I need to do this without loosing the option to trace specific client requests in the application server log.
S...
Fabrizio_GerardNimbostratus
NimbostratusHi, sorry for the formatting issue...the rule I wrote looks like this:
when CLIENT_ACCEPTED {
checks to see if client_addr = any in the class
if { [class match [IP::client_addr] equals SNAT_GROUP_A] } {
scan [IP::client_addr] %d.%d.%d.%d ip1 ip2 ip3 ip4
set newip [IP::addr 12.$ip2.$ip3.$ip4 mask 255.255.255.255]
snat $newip
log local0. "Snatting client [IP::client_addr] Client Port:[TCP::client_port] - Server Port:[TCP::local_port clientside] to new source ip $newip"
}
}I took a look to the code you mentioned: it is ok but it lacks one feature, that the snat ip should be dynamic (based on the client original address, preserving last three octets)... That's why in my code I extract the four original octets to rebuild the new snatted address
