For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Edouard's avatar
Edouard
Icon for Cirrus rankCirrus
Mar 17, 2020
Solved

SNAT based on source and destination

Greetings,   I am working on Forwarding (IP) VS.   I have used the next:   when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals VPN-SUBNET] } { if {[class match [IP::remote...
BIG-IP
iRules
LTM
security
ssl
vpn
  • Simon_Blakely's avatar
    Simon_Blakely
    Mar 17, 2020

    The problem you have is that in CLIENT_ACCEPTED, IP::client_addr and IP::remote_addr are the same IP address

     

    > IP::remote_addr

    > Description

    > Returns the IP address of the host on the far end of the connection.

    > In the clientside context, this is the client IP address.

     

     You can check IP::server_addr, but I'm not entirely sure it will be valid in context.

     

    You probably need a specific virtual server for the required destination, and can then apply the SNAT for some specific client IP addresses.

     

Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Mar 17, 2020

The problem you have is that in CLIENT_ACCEPTED, IP::client_addr and IP::remote_addr are the same IP address

 

> IP::remote_addr

> Description

> Returns the IP address of the host on the far end of the connection.

> In the clientside context, this is the client IP address.

 

 You can check IP::server_addr, but I'm not entirely sure it will be valid in context.

 

You probably need a specific virtual server for the required destination, and can then apply the SNAT for some specific client IP addresses.