Forum Discussion

A__N_5261's avatar
A__N_5261
Icon for Nimbostratus rankNimbostratus
Dec 13, 2012

SNAT for Specific Subnet

Hi ,

 

 

we have 5 VIP we have enable Snat on pool member. can we enable SNAT in this way if traffic coming from 10.0.0.0/8 subnet. Snat should work otherwise not. is there any way with Irule or another way to do that.

 

 

 

 

Thanks

 

A.N

 

config
design

8 Replies

  • Ajmal_2608's avatar
    Ajmal_2608
    Icon for Nimbostratus rankNimbostratus
    Dec 13, 2012
    This should help

     

     

    when CLIENT_ACCEPTED {

     

    if { [IP::addr [IP::remote_addr] equals 10.0.0.0/8] } {

     

    snat automap

     

    } else {

     

    return

     

    }

     

    }
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Dec 13, 2012
    An SNAT is specified at the Virtual Server level, not the Pool or Member level. An iRule would be your best bet, something like this; 

    
when CLIENT_ACCEPTED {
 if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] } {
  Use SNAT Automap if client IP is in this range
  snat automap
  Alternatively, specify a SNAT Pool instead
  snatpool name
  Stop processing the iRule for this event
  return
  }
 else {
  Stop processing the iRule for this event if no match
  return
  }
}
  • A__N_5261's avatar
    A__N_5261
    Icon for Nimbostratus rankNimbostratus
    Dec 13, 2012
    Hi,

     

     

    But we have only option to enable SNAT on pool level not on VIP level. let me correct if i am wrong

     

     

     

    Thanks

     

    A.N
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Dec 13, 2012
    You can only SNAT at the VIP level. However, if you specify a pool within an iRule you can SNAT differently per pool. Please clarify your requirements.
  • A__N_5261's avatar
    A__N_5261
    Icon for Nimbostratus rankNimbostratus
    Dec 13, 2012
    yes. i am looking for VIP level.

     

     

    Thanks for your help

     

     

     

     

    just last question . can we add two subnet as source in same IRULE . Like 10.0.0.0/8 and 192.168.2.0/24

     

     

     

     

     

     

    Thanks & Regards

     

     

    A.N
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Dec 13, 2012
    Great. You could add a second like this, there a few other ways you could do it too; 

    
when CLIENT_ACCEPTED {
 if { (([IP::addr [IP::client_addr] equals 10.0.0.0/8]) or ([IP::addr [IP::client_addr] equals 192.168.2.0/24 ])) } {
  Use SNAT Automap if client IP is in this range
  snat automap
  Alternatively, specify a SNAT Pool instead
  snatpool name
  Stop processing the iRule for this event
  return
  }
 else {
  Stop processing the iRule for this event if no match
  return
  }
}
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Dec 13, 2012
    This is a longer method but allows for different actions based on the source subnet; 

    
when CLIENT_ACCEPTED {
 if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] } {
  Use SNAT Automap if client IP is in this range
  snat automap
  Stop processing the iRule for this event
  return
  }
 elseif { [IP::addr [IP::client_addr] equals 192.168.2.0/24] } {
  snatpool name
  Stop processing the iRule for this event
  return
  }
 else {
  Stop processing the iRule for this event if no match
  return
  }
}