Selective SNAT setup

Question

Thanks for reading, any help would be appreciated. Here is my setup&nbsp;
&nbsp;US based LTM in DMZ&nbsp;
&nbsp;pool AMK_US
&nbsp;member 192.168.x.x  (behind the local LTM)
&nbsp;member 192.55.x.x    (on a server in Singapore)&nbsp;
&nbsp;Virtual server &nbsp;
&nbsp;192.55.x.x&nbsp;
&nbsp;We have a vlan called internal_5 setup with an ip of 192.168.x.x on the LTM. &nbsp;
&nbsp;Here is what we want to do:&nbsp;
&nbsp;1. When a request comes in from a business partner in the US, if the US pool member is up, traffic is sent to it.&nbsp;
&nbsp;2. If that pool member is down then the traffic will be routed to Singapore.&nbsp;
&nbsp;We have added a static route to the LTM to use the 192.168.x.x IP as it's route to get out. Problem is that we need to have that and only that traffic SNAT'd so that it returns to the LTM. There is also another default SNAT in place for other internal nodes on the LTM.&nbsp;
&nbsp;How can we create an iRule that will SNAT traffic that comes in the 192.55.x.x VIP and leaves for 192.55.a.x via the 192.168.x.x IP without affecting anything else?&nbsp;
&nbsp;Also the question comes to mind, should the iRule be applied to the 192.55.x.x VIP only and on what interface (external - to outside or internal - to behind LTM)&nbsp;
&nbsp;Thanks,
&nbsp;Kevin

hoolio · Answer

Hi,
You can write a rule and apply it only to the 192.55.21.x VIP that looks for requests being load balanced to one remote node and applies SNAT automap.  Here is an example:
when LB_SELECTED {
   if {[IP::addr [LB::server addr] equals 192.55.17.x]}{
      snat automap
   }
}
[LB::server addr] returns the IP address for the node which has been selected to receive the request.
You can check the 'snat' command for more examples: (Click here)
Aaron

jrahm · Answer

I think the concern was that only those requests that arrive on the internal_5 vlan would be snatted, but I couldn't quite tell.  I was trying to get LINK::vlan_id to return something, but haven't been able to on my lab pair (9.4.2 beta)  I was thinking of setting a variable in the CLIENT_ACCEPTED event with the link vlan ID so it could be ANDed with the remote server IP before snatting, but I've never used that before and wanted to test prior to posting.

kevin_nail · Answer

Thanks,&nbsp;
&nbsp;I will give that a try...&nbsp;&nbsp;

Forum Discussion

Selective SNAT setup

Recent Discussions

irule to enable http/2 acceleration

Service discovery is not happening in AS3

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

FTP PASV mode to Extended Passive mode

Oracle JDBC SSL Termination failing on F5

Related Content

Selective SNAT

Selective SNAT with iRules

iRules Recipe 3: Pool and SNAT Selection by Host Header Value

How to Setup Shape Log Analysis in Fastly

SNAT pool persistence

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS