Forum Discussion

branfarm_139474's avatar
branfarm_139474
Icon for Nimbostratus rankNimbostratus
May 01, 2014

SNAT and NAT on difference vlans

Hi, I have a few questions about SNATs and NAT's and trying to get traffic to either SNAT or NAT based on the destination. Here's the diagram: I want traffic from 10.8.4.26 destined to 10....
application delivery
design
devops
iRules
LTM
nat
snat
nitass_89166's avatar
nitass_89166
Icon for Noctilucent rankNoctilucent
May 02, 2014

probably you do not need irule. 🙂

e.g.

 

 internal to external

ltm virtual internal-to-external {
    destination 10.8.8.0:0
    ip-forward
    mask 255.255.255.0
    profiles {
        fastL4 { }
    }
    source 10.8.4.26/32
    source-address-translation {
        pool snat-10.8.8.22
        type snat
    }
    translate-address disabled
    translate-port disabled
    vlans {
        internal
    }
    vlans-enabled
    vs-index 15
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snatpool snat-10.8.8.22
ltm snatpool snat-10.8.8.22 {
    members {
        10.8.8.22
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snat-translation 10.8.8.22
ltm snat-translation 10.8.8.22 {
    address 10.8.8.22
    inherited-traffic-group true
    traffic-group traffic-group-1
}

 internal to pubdmz

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual internal-to-pubdmz
ltm virtual internal-to-pubdmz {
    destination 10.8.6.0:0
    ip-forward
    mask 255.255.255.0
    profiles {
        fastL4 { }
    }
    source 10.8.4.26/32
    source-address-translation {
        pool snat-10.8.6.26
        type snat
    }
    translate-address disabled
    translate-port disabled
    vlans {
        internal
    }
    vlans-enabled
    vs-index 16
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snatpool snat-10.8.6.26
ltm snatpool snat-10.8.6.26 {
    members {
        10.8.6.26
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snat-translation 10.8.6.26
ltm snat-translation 10.8.6.26 {
    address 10.8.6.26
    inherited-traffic-group true
    traffic-group traffic-group-1
}

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual pubdmz-to-internal
ltm virtual pubdmz-to-internal {
    destination 10.8.6.26:0
    mask 255.255.255.255
    pool pool-10.8.4.26
    profiles {
        fastL4 { }
    }
    source 10.8.6.0/24
    translate-port disabled
    vlans {
        pubdmz
    }
    vlans-enabled
    vs-index 17
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool pool-10.8.4.26
ltm pool pool-10.8.4.26 {
    members {
        10.8.4.26:0 {
            address 10.8.4.26
        }
    }
}

 pubdmz to 10.8.4.26 on port 5600

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual pubdmz-to-10.8.4.26
ltm virtual pubdmz-to-10.8.4.26 {
    destination 10.8.4.26:5600
    ip-forward
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        fastL4 { }
    }
    source 10.8.6.0/24
    translate-address disabled
    translate-port disabled
    vlans {
        pubdmz
    }
    vlans-enabled
    vs-index 18
}

 

  • branfarm_139474's avatar
    branfarm_139474
    Icon for Nimbostratus rankNimbostratus
    May 02, 2014
    Thanks, Nitass. Those are very thorough examples. My intent is to have something that's more generic -- my diagram was more of a conceptual example. The real need for the external interface is to allow outbound traffic to the internet -- all prefixes. However, the dmz and other interfaces will need more specific prefixes, possibly hundreds of different prefixes per interface. I can't create virtual-servers for each destination prefix however. In that case, it seems like I might not be able to use this method for a production system since the virtual servers you reference are very specific to the source and destination networks. In your opinion, is this a case of "trying to make a square peg fit a round hole?"