Forum Discussion
NimbostratusOutbound SNAT iRule defined by destination
Looking for assistance with a 9.4.6 iRule. I have written some very simple iRules, but I am not sure where to go with this one. Below are two iterations of iRules I attempted. The designed purpose is to NAT to the 172.16 address from all hosts on a specific VLAN to the internet, but not NAT to the 192.168 addresses. I created a forwarding virtual server (IP) for 0.0.0.0 and applied the iRule to it. When trying to access the internet this iteration did not translate the address.
IP addresses have been changed to protect the innocent :)
when CLIENT_ACCEPTED {
log local0. "in CLIENT_ACCEPTED"
if {[IP::addr [IP::remote_addr] equals 192.168.0.0/24]}{
snat none
} elseif {[IP::addr [IP::remote_addr] equals 192.168.1.0/24]}{
snat none
} elseif {[IP::addr [IP::remote_addr] equals 192.168.2.0/24]}{
snat none
} elseif {[IP::addr [IP::remote_addr] equals 192.168.3.0/24]}{
snat none
} elseif {[IP::addr [IP::remote_addr] equals 192.168.4.0/24]}{
snat none
} else {
snat 172.16.3.5
}
}
when CLIENT_ACCEPTED {
log local0. "in CLIENT_ACCEPTED"
if {[IP::addr [IP::remote_addr] equals 192.168.0.0/24]}{
snat none
} elseif {[IP::addr [IP::remote_addr] equals 192.168.1.0/24]}{
snat none
} elseif {[IP::addr [IP::remote_addr] equals 192.168.2.0/24]}{
snat none
} elseif {[IP::addr [IP::remote_addr] equals 192.168.3.0/24]}{
snat none
} elseif {[IP::addr [IP::remote_addr] equals 192.168.4.0/24]}{
snat none
} else {
snat 172.16.3.5
}
}
when CLIENT_ACCEPTED {
log local0. "in CLIENT_ACCEPTED"
if {[IP::addr [IP::remote_addr] equals 192.168.0.0/24]}{
snat none
} elseif {[IP::addr [IP::remote_addr] equals 192.168.1.0/24]}{
snat none
} elseif {[IP::addr [IP::remote_addr] equals 192.168.2.0/24]}{
snat none
} elseif {[IP::addr [IP::remote_addr] equals 192.168.3.0/24]}{
snat none
} elseif {[IP::addr [IP::remote_addr] equals 192.168.4.0/24]}{
snat none
} else {
snat 172.16.3.5
}
}
I later made this attempt:
when CLIENT_ACCEPTED {
log local0. "in CLIENT_ACCEPTED"
if {[ matchclass [IP::remote_addr] equals 192.168.0.0/24]}{
snat none
} elseif {[ matchclass [IP::remote_addr] equals 192.168.1.0/24]}{
snat none
} elseif {[ matchclass [IP::remote_addr] equals 192.168.2.0/24]}{
snat none
} elseif {[ matchclass [IP::remote_addr] equals 192.168.3.0/24]}{
snat none
} elseif {[ matchclass [IP::remote_addr] equals 192.168.4.0/24]}{
snat none
} else {
snat 172.16.3.5
}
}
After this attempt, I no longer saw drops on the external firewall from the native non-routeable address, but I also did not see traffic being NATTED. When I looked at the iRule statistics all attempts showed as failed.
Any help I can get on this from those more knowledgable than me is greatly appreciated.
Kevin_Pruett_73multiple posts of the first irule. My apologies
natheCirrocumulus
Kevin
This is how I'd do it (untested though).
Firstly, create a datagroup for all non SNAT IPs e.g. no_SNAT and all the address ranges
Then use this iRule:
when CLIENT_ACCEPTED {
Check if the remote address is part of the no_SNAT data group
if { [matchclass [IP::remote_addr] equals $::no_SNAT]} {
snat none
} else {
snat behind this address
snat 172.16.3.5
}
}
}
Hope this helps
N- Kevin_Pruett_73Thanks for the reply, Nathan! I will give it a shot and let you know how it goes.