Forum Discussion

Sero_83363's avatar
Sero_83363
Icon for Nimbostratus rankNimbostratus
May 14, 2015

SNAT and NAT to a single server (no load balancing)

Hi - I have a requirement to SNAT and NAT traffic to single server instances behind the F5. This because all servers are behind the F5. Even those that do not require load balancing.

 

Any security applied is upstream so the F5 LTM only needs to SNAT the client IP and NAT the destination IP. I know I could create VIPs, Pools, members and nodes for each server but is their an easier way to do this?

 

Ideally I'd just like to create a VIP for each single server with an iRule that SNAT's using a SNAT Pool and then does the destination NAT direct to the server (without using pools with a single server in them :) )

 

Thanks

 

1 Reply

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 14, 2015

    is it something like this?

     configuration

root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.0:0
    mask 255.255.255.0
    profiles {
        fastL4 { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-port disabled
    vs-index 10
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED {
  set serverip [class match -value [IP::local_addr] equals dstnat]
  if { $serverip ne "" } {
    node $serverip
  } else {
    reject
  }
}
when SERVER_CONNECTED {
  log local0. "client=[IP::client_addr] virtual=[clientside {IP::local_addr}] \
               snat=[IP::local_addr] server=[IP::remote_addr]"
}
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal dstnat
ltm data-group internal dstnat {
    records {
        172.28.24.101/32 {
            data 200.200.200.101
        }
        172.28.24.111/32 {
            data 200.200.200.111
        }
    }
    type ip
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snat-translation 172.28.24.*
ltm snat-translation 172.28.24.101 {
    address 172.28.24.101
    inherited-traffic-group true
    traffic-group traffic-group-1
}
ltm snat-translation 172.28.24.111 {
    address 172.28.24.111
    inherited-traffic-group true
    traffic-group traffic-group-1
}

 /var/log/ltm

[root@ve11c:Active:In Sync] config  tail -f /var/log/ltm
May 15 13:40:37 ve11c info tmm1[15145]: Rule /Common/qux : client=192.168.206.135 virtual=172.28.24.101  snat=200.200.200.14 server=200.200.200.101
May 15 13:40:48 ve11c info tmm[15145]: Rule /Common/qux : client=172.28.24.1 virtual=172.28.24.111  snat=200.200.200.14 server=200.200.200.111