For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Juha_47876's avatar
Juha_47876
Icon for Nimbostratus rankNimbostratus
Oct 14, 2011

SNAT based on destination IP

Hi,

 

 

I would need a solution for the following requirement.

 

 

I have a pool of servers and their internal IP addresses are e.g.:

 

 

pool POOL_WITH_6NODES {

 

lb method member least conn

 

action on svcdown reset

 

monitor all tcp

 

members

 

192.168.1.1:1234

 

192.168.1.2:1234

 

192.168.1.3:1234

 

192.168.1.4:1234

 

192.168.1.5:1234

 

192.168.1.6:1234

 

}

 

 

Then I have 3 VIPs that all use the same pool of servers e.g.:

 

 

virtual VS_NODES_1 {

 

pool POOL_WITH_6NODES

 

destination 172.1.1.1:1234

 

ip protocol tcp

 

}

 

virtual VS_NODES_2 {

 

pool POOL_WITH_6NODES

 

destination 172.1.1.2:1234

 

ip protocol tcp

 

}

 

virtual VS_NODES_3 {

 

pool POOL_WITH_6NODES

 

destination 172.1.1.3:1234

 

ip protocol tcp

 

}

 

 

What I need is that when any one of my 6 servers will connect to external host e.g. host1=10.1.1.1 then the internal IP will be SNATted to 172.1.2.100

 

host2=10.2.2.2 then the internal IP will be SNATted to 172.1.2.101

 

host3=10.3.3.3 then the internal IP will be SNATted to 172.1.2.102

 

 

How can I do this?

 

 

 

 

config
design

3 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Oct 14, 2011
    You passing through a firewall? If so, NAT there.

     

     

    If not...

     

     

    You could create a VS that the outbound traffic is forwarded through. If these are the only 6 servers on the VLAN, you can set SNAT on the VS. If there's more servers on the VLAN and you don't want to SNAT them, then you could put an iRule on the VS to check the clientip and perform a SNAT if and only if the clientip is one of the 6 and the destip is the target (Or in a target list) [Note, I'd use a datagoup/class for holding the IP addresses of the clients and servers...

     

     

    H
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 15, 2011
    e.g. 

    [root@iris:Active] config  b class myservers list
class myservers {
   {
      host 192.168.1.1
      host 192.168.1.2
      host 192.168.1.3
      host 192.168.1.4
      host 192.168.1.5
      host 192.168.1.6
   }
}

[root@iris:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
        if {[class match [IP::remote_addr] equals myservers]} {
                switch [IP::local_addr] {
                        "10.1.1.1" { snat 172.1.2.100 }
                        "10.2.2.2" { snat 172.1.2.101 }
                        "10.3.3.3" { snat 172.1.2.102 }
                        default {  do something }
                }
        }
}
}