For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Joe_Frost_43072's avatar
Joe_Frost_43072
Icon for Nimbostratus rankNimbostratus
May 08, 2007

Single host SNAT iRule

Hello all-     I have a simple apache pool with 3 internal hosts and 1 host that lives outside of my network in which i want to SNAT exclusively in order to bypass the asymetrical routing issue....
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
May 09, 2007
The CLIENT_ACCEPTED event is triggered every time a client makes a TCP connection. The SNAT would be performed throughout the life of the connection.

Also, if you want to apply the SNAT based on the what the client IP address is, you would need to use IP::client_addr instead of LB::server. LB::server will return the node IP address in the pool.

Regardless of whether the rule applies the SNAT correctly, you shouldn't be seeing a TCL error using the class and rule you just listed.

Can you retry with the following rule to see if a) works without an error and b) actually SNAT's the traffic as you want?


when CLIENT_ACCEPTED {
   log local0. "\[IP::client_addr\]: [IP::client_addr]"
    SNAT requests if client_addr is defined in the class
   if { [matchclass [IP::client_addr] equals $::Hosts]} {
      log local0. "matched for [IP::client_addr]"
      snat automap
   }
}

If that doesn't work for some reason, can you try this rule without the class as a test:


when CLIENT_ACCEPTED {
   log local0. "\[IP::client_addr\]: [IP::client_addr]"
    SNAT requests if client_addr matches this IP
   if { [IP::addr [IP::client_addr]/24 equals 1.2.3.4]} {
      log local0. "matched for [IP::client_addr]"
      snat automap
   }
}

Aaron