Forum Discussion
gto481_34301
Nimbostratus
NimbostratusNo acknowledge from destination after SNAT using iRule
I have one client server with one IP address (192.168.1.1). I would like to SNAT the server IP address base on outgoing port 2222. Actually, the default SNAT is 10.230.10.1 for any other ports. However, I would like to SNAT to 10.10.1.1 just only when I connect to app server 172.17.30.1 on port 2222.
I just create Virtual Server 172.17.30.1 port 2222 and have 172.17.30.1 port 2222 as server pool. Then I associated iRule SNAT to 10.10.1.1 on match port 2222.
It seems SNAT is working but the client server cannot communicate to the app server since no acknowledge from the app server. Something like below
10.10.1.1 38569 --> 172.17.30.1 2222
10.10.1.1 58967 --> 172.17.30.1 2222
The following is my iRule to match port 2222 and SNAT to 10.10.1.1
when CLIENT_ACCEPTED {
if { [TCP::local_port] == 2222 } {
snat 10.10.1.1
}
else {
forward
}
}
However, if I change default SNAT to 10.10.1.1 then it can get acknowledge from the app server.
Do you guys know how to solve my problem? Any suggestion would be appreciated.
8 Replies
- nitass
Employee
have you enabled arp on 10.10.1.1 under local traffic > snats > snat translation list > 10.10.1.1? - gto481:
Since the virtual server has 2222 as the destination port, [TCP::local_port] is always going to be 2222. This means that the irule as you show it is not doing anything more than assigning the SNAT pool in the virtual properties.
Even if we fixed the irule, you would only get the default SNAT.
So, remove the port from the virtual , replace it with 0, and try again.
remove the whole "else" structure, it is not needed.
Be sure to tail the log when you test. This will produce a line in the log.
if you are still having problems, send the tail of the log together with the virtual configuration.
HTH. - Try this irule instead:
when CLIENT_ACCEPTED {
if { [TCP::local_port clientside] equals "2222" } {
log local0. "SNATting using 10.10.1.1 for client [IP::remote_addr]"
snat 10.10.1.1
}
} 
gto481_34301John Alam:
The problem still persists. Still doesn't get ack from destination. The following is my configuration.
virtual OPCO1_CO_VS {
pool OPCO1_CO_Pool
destination 172.17.30.1:any
ip protocol tcp
rules OPCO1_CH_SNAT_PORT
}
pool OPCO1_CO_Pool {
members 172.17.30.1:2222
}
rule OPCO1_CH_SNAT_PORT {
when CLIENT_ACCEPTED {
if { [TCP::local_port clientside] equals "2222" } {
log local0. "SNATting using 10.10.1.1 for client [IP::remote_addr]"
snat 10.10.1.1
}
}
}- nitasshave you created 10.10.1.1 as snat translation list and enabled arp?
- gto481_34301
Forgot to attached tail log.
Oct 17 10:29:00 tmm tmm[2118]: Rule OPCO1_CH_SNAT_PORT : SNATting using 10.10.1.1 for client 192.168.1.1
- gto481_34301nitass:
It works !!! I just added 10.10.1.1 into SNAT translation list and enabled ARP. Thank you for your help :) - nitasswelcome.
snat irule does not do arp for us. it does snat only (as its name :p).
cheer!
