Forum Discussion
hooleylist
Jul 07, 2008Cirrostratus
The precedence (Click here) for matching would be the most specific VIP, then the wildcard VIP, then the SNAT. The SNAT will take effect if there isn't a SNAT setting enabled on the VIP and/or pool. If you use a rule to specify a SNAT it will override both the SNAT options on the VIP and/or pool as well as a default SNAT.
To simplify the troubleshooting process if the above rule and classes don't work, you could add logging:
when CLIENT_ACCEPTED {
log local0. "[IP::client_addr]:[TCP::client_port]: new connection to [IP::local_addr]:[TCP::local_port]"
if { [matchclass [ip::remote_addr] equals $::routed_network_list ] } {
SNAT traffic to the routable networks
log local0. "[IP::client_addr]:[TCP::client_port]: matched \$::routed_network_list"
snat 64.x.x.52
} elseif { [matchclass [ip::remote_addr] equals $::local_srvr_list ] }{
SNAT traffic to the other internal machines
log local0. "[IP::client_addr]:[TCP::client_port]: matched \$::local_srvr_list"
snat 10.10.8.3
} else {
drop to the default router for this VLAN.
log local0. "[IP::client_addr]:[TCP::client_port]: default"
node 10.10.8.1
}
}
when SERVER_CONNECTED {
log local0. "[IP::client_addr]:[TCP::client_port]: connected to [IP::remote_addr]:[TCP::remote_port]"
}
Aaron