Forum Discussion

Maxim_Taskov_90's avatar
Maxim_Taskov_90
Icon for Nimbostratus rankNimbostratus
Jun 05, 2008

SNAT Based on Source and Destination

I hope you can help ... thanks.

 

 

I am trying to apply conditional SNAT based on source and destination for any service otherwise leave them alone and allow the static NAT to take effect. What I did is ...

 

 

NOTE: The client servers normally have static NATs applied.

 

 

1. Created Forwarding (IP) VIP available only on the VLAN where the client servers reside with the following configuration:

 

 

virtual vsANY-NodeNet

 

destination any:any

 

disable

 

ip forward

 

rule snat_rule

 

vlans NodeNet enable

 

 

NOTE: NodeNet is the VLAN where the client servers reside.

 

 

2. Created an iRule labeled 'snat_rule' as follows:

 

 

when CLIENT_ACCEPTED {

 

if {[matchclass IP::local_addr eq $::the_destination_ip] and [matchclass IP::client_addr eq $::the_source_ip]} {

 

snat 10.10.1.1

 

} else {

 

snat none i tried using 'forward' here too

 

}

 

}

 

 

2a. I tried this too:

 

 

when CLIENT_ACCEPTED {

 

if {[matchclass IP::local_addr eq $::the_destination_ip]} {

 

snat 10.10.1.1

 

} else {

 

snat none i tried using 'forward' here too

 

}

 

}

 

 

 

The result was that all traffic matched the rule and everything started failing, because traffic destined for the internal network is subjected to specific firewall rules, which include source, destination and port as the rule parameters. After this new iRule, the server static NATs are not applied rather all get the 10.10.1.1 SNAT, which obviously is not in any of the firewall rules.

 

 

Technically the iRule could be based on matching the destination only but I included the source too as I thought that it will be less invasive/more efficient the more specific it is. Was I correct?

 

 

HELP !!!
application delivery
dev
devops
iRules

14 Replies

Sort By
Show More
  • Maxim_Taskov_90's avatar
    Maxim_Taskov_90
    Icon for Nimbostratus rankNimbostratus
    Jun 05, 2008
    That can't be true citizen_elah. I already have similar rules/configurations. The only difference between this one and the other ones is that the others have a more specific VS, e.g. it is a wildcard destination but specific service and protocol. This one is a wildcard on everything ... destination, service, and protocol. I don't see how that would affect it but I would not place any bets either as I am not that familiar with the LTM internals.

     

     

    Anyway, the good news is that I made progress.

     

     

    First, I resolved my 'outbound traffic failing' problem by rearranging the rule a little as follows:

     

     

    when CLIENT_ACCEPTED {

     

    if { [matchclass [IP::client_addr] equals $::the_source_ip]} {

     

    if { [matchclass [IP::local_addr] equals $::the_destination_ip]} {

     

    snat 10.10.1.1

     

    } else {

     

    forward

     

    }

     

    }

     

    }

     

     

    Don't ask me why or how, but flipping the source and destination match clause positions and changing from an 'and' to multiple 'if' statements fixed it.

     

     

    Second, I was still not getting any hits on the SNAT or any signs of live packets going in that direction. Just for fun I synchronized the config with the standby unit and went to test from it ... everything worked as expected. Then failed over the current Active unit and it is still working. Now I have to figure out what is wrong with the original Active unit that it works half way only. The curious thing is that all other configurations I have on it work fine and nobody is complaining or reporting any anomalies.
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jun 05, 2008
    Then the documentation is wrong. I'd be really curious to see a scrubbed version of your configuration.
  • Maxim_Taskov_90's avatar
    Maxim_Taskov_90
    Icon for Nimbostratus rankNimbostratus
    Jun 06, 2008
    I can certainly offer any configuration pieces of interest to you.

     

     

    Now the funny part ... I found why it wasn't working on the primary unit. It is a port issue. I noticed few other anomalies on the device. One of them was that inbound and outbound PING tests to the port used in the iRule were visible in tcpdump on the interface but not really acknowledged with a Reply or Timeout. I switched the VLAN cable to another vacant port on the device and everything is working as expected. What a crazy case.

     

     

    Thanks for your help and guidance and sorry for the false alarm ... I am calling F5 tech support for RMA now.

     

     

    Cheers ...
  • Elias_O_16228's avatar
    Elias_O_16228
    Icon for Nimbostratus rankNimbostratus
    Jun 19, 2017

    I have posted on this link below before I saw this thread. I know this is old thread, but it appears similar to my problem.

     

    https://devcentral.f5.com/questions/two-snat-irule-with-same-origin-ip-addresses-54056comment50703

     

    The SNAT1 VIP is currently 443 and SNAT2 VIP is only port 80.

     

    I want some SSL traffic going through SNAT2 as well (443 and 80).

     

    The SNAT1 traffic is only to two destinations, which could be URL or IP address.

     

    The goal is to add https traffic to SNAT2 (https and http) via irule.

     

    If https and http SNAT to SNAT2 virtual IP (default)

     

    If https://www.abc123.com and/or https://www.utts123.com SNAT to SNAT1 virtual server.

     

    I am running version 12.1.1. There used to be SNAT rule on version 10.x where you can define the ip addresses, but it appears missing on 12.x.