For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Josh_Hildebran1's avatar
Josh_Hildebran1
Icon for Nimbostratus rankNimbostratus
Jul 13, 2006

Simple SNAT for external SMTP nodes via a VIP

I think I had this working at some point, but now I'm not entirely sure it ever did. I'm trying to make it so that external servers can use a VIP to hit a pool of external mail servers. When I sa...
application delivery
dev
devops
iRules
JRahm's avatar
JRahm
Icon for Admin rankAdmin
Jul 14, 2006
As the ltm is not a firewall by nature, it doesn't treat vlans as outside/inside from a policy standpoint. That said, if you have a connection hitting a vip, and a pool of assigned servers that are *outside*, you'll need to snat to get the traffic to route back through the ltm. You can snat automap, or you can build a snatpool with 1 or more addresses in it. You shouldn't need a rule for this.

BTW, you can snat on the same address as your virtual to conserve IP space if this is a concern.


pool smtp_testpool {
   lb method member predictive
   min active members 1
   monitor all POST
   member 192.168.168.76:smtp
   member 192.168.170.50:smtp priority 2
}
snatpool smtp_snatpool {
   member 172.20.150.25
}
virtual smtp_snat_external {
   destination 172.20.150.25:smtp
   ip protocol tcp
   pool smtp_testpool
   snatpool smtp_snatpool
   vlans external enable
}

You can email me offline if you pursue a non-iRules approach, as this forum is not for configuration issues.