Selective SNAT iRule

It's been a while, but I was finally able to catch up and try a few things out.

 

 

UnRuleY: The sample iRule you provided did work and solved the general problem, though for some reason, I had a problem adding additional source networks, so I ended up with the following:

 

 

snatpool snatpool.192.168.2.1 {

 

member 192.168.2.1

 

}

 

 

virtual forwarding_virtual {

 

destination any:any

 

ip forward

 

profile custom.fastL4.noreset

 

rule snat.rule

 

}

 

 

rule snat.rule {

 

when CLIENT_ACCEPTED {

 

if {([IP::addr [IP::remote_addr] equals "10.32.0.0/24"] and ([IP::addr "[IP::local_addr]" equals "192.168.1.0/24"] or [IP::addr "[IP::local_addr]" equals "172.31.1.0/24"] or [IP::addr "[IP::local_addr]" equals "10.0.1.0/24"]))} {

 

snat none

 

}

 

elseif {([IP::addr [IP::remote_addr] equals "10.64.0.0/24"] and ([IP::addr "[IP::local_addr]" equals "192.168.1.0/24"] or [IP::addr "[IP::local_addr]" equals "172.31.1.0/24"] or [IP::addr "[IP::local_addr]" equals "10.0.1.0/24"]))} {

 

snat none

 

}

 

else {

 

snatpool snatpool.192.168.2.1

 

}

 

}

 

}

 

 

In this instance, the source node networks are the 10.32.0/24 and 10.64.0/24 and the remote networks that we do not want to SNAT to are the 192.168.1/24, 172.31.1/24, and 10.0.1/24 networks--everything else is SNAT'd. The rule is applied to the forwarding_virtual--which is required for IP forwarding. The snatpool seems to be a much cleaner way to adding SNAT without applying a physical SNAT to a particular interface.

 

 

Thanks for the help.

 

 

-d