SNAT by Destination IP

Question

I want to mask a network behind an SNAT IP address based on the following criteria: either the leaving interface (WAN) or the desitination IP. Is there a way to solve that by configuration utility? Or do I need to write an intelligant SNAT iRule? Any suggestions? Currently I have 3 Interfaces. The customer interface (network) should be able to send traffic to the internet, by passing the f5 external Interface with an SNAT. But the customer network is also able to communicate to other RFC1918 networks via f5 internal interface. Unfortunatelly when I configure an SNAT, the customers network IP is always translated, even if the traffic is send through internal interface. This leads into routing errors. Can somebody help?

what_lies_bene1 · Answer

You'll need an iRule I'd say and a Virtual Server to run it through. The VS will only need to be enabled on the customer network. Apply the SNAT to the VS and also an iRule that simply checks the destination IP (you can check for an egress interface) and if it matches one of the internal networks (perhaps listed in a data group) simply disable the SNAT. If you need help with any of that, let me know.

kim_kipp_49723 · Answer

I already have a wildcard virtual server connected to all interfaces. So I can append the iRule to that virtual server. Well I'm not that familar with iRule, just at the beginning. So it would be very helpful if you can post some syntax.&nbsp;
Network 192.168.10.16/28 should be natted to x.x.x.x if it is going out on interface "TestWAN". If it is going out on interface TestLAN it should not be natted. The network 192.168.10/16 is not a direct attached network to F5!&nbsp;

what_lies_bene1 · Answer

Just putting something together now. As I said it can't be done based on egress interface, only destination IP/subnet. Is there more than one?

what_lies_bene1 · Answer

So, assuming you don't apply the SNAT to the Virtual Server and want to do it all with an iRule, something like this will work if the TESTLAN destination is a single subnet;
when CLIENT_CONNECTED {
 Check if the client source IP is from the internal network
 if { [IP::addr [IP::client_addr] equals 192.168.10/16] } {
  If so, check if the destination IP is in the TESTLAN
  if { [IP::addr [IP::local_addr] equals x.x.x.x/xx] } {
   If so, don't SNAT
   snat none }
   If not, SNAT
  else {
   snat 'name or snat here or specific address'
   }
 }
}

kim_kipp_49723 · Answer

Tried this already, but it doesn't work. when logging the value [IP::remote_addr] it's showing the client IP, same as [IP::client_addr]. This is very strange to me. Cross-checked it twice... Log example: "client 192.168.10.30 remote 192.168.10.30 SNAT yes" Might this happen because of the wildcard virtual server?

Forum Discussion

SNAT by Destination IP

10 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Question about adding VEs to existing physical appliance device group without ASM licenses

2026 301a exam

How can I measure Advanced WAF (ASM) throughput on a running BIG-IP VE (per VIP / per policy)?

What is the best practice for migrating from iseries to rseries?

BIG-IP i11000 – License compatibility with TMOS versions above 14.1.2 and Web GUI inaccessible

Related Content

Destination Snat Using DNS

Destination address at F5

SNAT based on source and destination

SNAT pool persistence

Block destination IP by source IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS