The VIP is showing disabled in your config snippet--I assume it was enabled when you were testing? Also, the IP::client_addr and IP::local_addr commands need to be enclosed in square braces in order to be executed. I would think that the conditional should have failed and no SNAT would have been used.
Can you retest with the VIP enabled and the commands bracketed?
when CLIENT_ACCEPTED {
if {[matchclass [IP::local_addr] equals $::the_destination_ip] and [matchclass [IP::client_addr] equals $::the_source_ip]} {
log local0. "[IP::client_addr]: using SNAT for [IP::local_addr]"
snat 10.10.1.1
} else {
log local0. "[IP::client_addr]: not using SNAT for [IP::local_addr]"
snat none
}
}
Aaron
Nimbostratus
