Forum Discussion
Sero_83363
Nimbostratus
NimbostratusSNAT and NAT to a single server (no load balancing)
Hi - I have a requirement to SNAT and NAT traffic to single server instances behind the F5. This because all servers are behind the F5. Even those that do not require load balancing.
Any securit...
nitass
Employee
Employeeis it something like this?
configuration
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.24.0:0
mask 255.255.255.0
profiles {
fastL4 { }
}
rules {
qux
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-port disabled
vs-index 10
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
when CLIENT_ACCEPTED {
set serverip [class match -value [IP::local_addr] equals dstnat]
if { $serverip ne "" } {
node $serverip
} else {
reject
}
}
when SERVER_CONNECTED {
log local0. "client=[IP::client_addr] virtual=[clientside {IP::local_addr}] \
snat=[IP::local_addr] server=[IP::remote_addr]"
}
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal dstnat
ltm data-group internal dstnat {
records {
172.28.24.101/32 {
data 200.200.200.101
}
172.28.24.111/32 {
data 200.200.200.111
}
}
type ip
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snat-translation 172.28.24.*
ltm snat-translation 172.28.24.101 {
address 172.28.24.101
inherited-traffic-group true
traffic-group traffic-group-1
}
ltm snat-translation 172.28.24.111 {
address 172.28.24.111
inherited-traffic-group true
traffic-group traffic-group-1
}
/var/log/ltm
[root@ve11c:Active:In Sync] config tail -f /var/log/ltm
May 15 13:40:37 ve11c info tmm1[15145]: Rule /Common/qux : client=192.168.206.135 virtual=172.28.24.101 snat=200.200.200.14 server=200.200.200.101
May 15 13:40:48 ve11c info tmm[15145]: Rule /Common/qux : client=172.28.24.1 virtual=172.28.24.111 snat=200.200.200.14 server=200.200.200.111
