Forum Discussion
gto481_34301
Nimbostratus
Oct 16, 2011No acknowledge from destination after SNAT using iRule
I have one client server with one IP address (192.168.1.1). I would like to SNAT the server IP address base on outgoing port 2222. Actually, the default SNAT is 10.230.10.1 for any other ports. However, I would like to SNAT to 10.10.1.1 just only when I connect to app server 172.17.30.1 on port 2222.
I just create Virtual Server 172.17.30.1 port 2222 and have 172.17.30.1 port 2222 as server pool. Then I associated iRule SNAT to 10.10.1.1 on match port 2222.
It seems SNAT is working but the client server cannot communicate to the app server since no acknowledge from the app server. Something like below
10.10.1.1 38569 --> 172.17.30.1 2222
10.10.1.1 58967 --> 172.17.30.1 2222
The following is my iRule to match port 2222 and SNAT to 10.10.1.1
when CLIENT_ACCEPTED {
if { [TCP::local_port] == 2222 } {
snat 10.10.1.1
}
else {
forward
}
}
However, if I change default SNAT to 10.10.1.1 then it can get acknowledge from the app server.
Do you guys know how to solve my problem? Any suggestion would be appreciated.
- nitass
Employee
have you enabled arp on 10.10.1.1 under local traffic > snats > snat translation list > 10.10.1.1? - John_Alam_45640Historic F5 Accountgto481:
- John_Alam_45640Historic F5 AccountTry this irule instead:
- gto481_34301
Nimbostratus
John Alam:
- nitass
Employee
have you created 10.10.1.1 as snat translation list and enabled arp? - gto481_34301
Nimbostratus
Forgot to attached tail log.
Oct 17 10:29:00 tmm tmm[2118]: Rule OPCO1_CH_SNAT_PORT : SNATting using 10.10.1.1 for client 192.168.1.1
- gto481_34301
Nimbostratus
nitass: - nitass
Employee
welcome.
Recent Discussions
Related Content
Â
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects