For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

aj1's avatar
aj1
Icon for Nimbostratus rankNimbostratus
Feb 27, 2015

Selective SNAT using iRule on a standard VS

Hi, I realize this issue has been addressed in a lot of posts and i have applied those to solve this issue but nothing has worked out so far. Our LTM services two vlans and applications from these ...
application delivery
devops
irule
iRules
LTM
snat
aj1's avatar
aj1
Icon for Nimbostratus rankNimbostratus
Mar 03, 2015

Thank you for the reply.I do have a wildcard forwarding server that uses the snat pool, not sure how that affects this.

[admin@isb-alb-c1:/S1-green-P:Active:Standalone] ~  tmsh list /ltm snat
[admin@isb-alb-c1:/S1-green-P:Active:Standalone] ~

Used "snat none" in the rule instead of the "pool $default_pool" statement. Still seeing snat happening either way though, same subnet or not. The same logs as before. Can verify the same from the connection table.

Something that was different this time were the connection table records for the 125.171.11.108 client. No snat in the first record (expected), but snat in the second record.

show /sys connection cs-client-addr 125.171.11.108
Sys::Connections
125.171.11.108:41521  198.82.183.114:389  125.171.11.108:41521  172.16.18.24:10389  tcp  1198  (slot/tmm: 1/0)  none
125.171.11.108:43228  198.82.183.114:389  198.82.214.125:43228  172.16.19.24:10389  tcp  992  (slot/tmm: 1/1)  none
Total records returned: 2
  • StephanManthey's avatar
    StephanManthey
    Icon for Nacreous rankNacreous
    Mar 03, 2015
    Hi aj, it will not be necessary to have multiple data-groups. You can put all network ranges into a single data-group and please make sure to include all client networks (currently the 125.171.11.0/24 is not covered). This might cause the problem. Thanks, Stephan
  • aj1's avatar
    aj1
    Icon for Nimbostratus rankNimbostratus
    Mar 17, 2015
    Yes, having every subnet in just one data-group worked ! I guess i had a different idea as to how the irule works and therefore split the two subnets into two data-groups. Thank you Stephan.