SNAT iRule needed - 1:1 mappings

Question

I have a situation where logging is needed for the admins to see the real ip addresses but I need to keep snat in place. Can someone provide a sample iRule that will allow me to make static nat mappings to each of the four "important" clients. The rest of the clients can use the default automap snat. If I can use four SNAT addresses but always have a particular snat to to a specific client address then I can log this and satisfy the security need. They just need to see who is hitting the vip, especially the four specific clients.&nbsp;
Thank you,&nbsp;

kevin_stewart · Answer

At a minimum, perhaps something like this:
when CLIENTED_ACCEPTED {
    switch [IP::client_addr] {
        "10.10.10.10" { snat 192.169.42.10 }
        "10.10.10.11" { snat 192.168.42.11 }
        "10.10.10.12" { snat 192.168.42.12 }
        "10.10.10.13" { snat 192.168.42.13 }
        default { snat automap }
    }
}

You could also do this very nicely with a datagroup definition. I'd also add that enabling an X-Forwarded-For header for HTTP traffic is as easy as enabling it in the HTTP profile.

christian_15126 · Answer

Are these https connectrions?  If so then you can simply enable xforwarding in the http profile and see the source of all http connections in the apache or iis logs.&nbsp;

christian_15126 · Answer

Either http or https connections.&nbsp;

uni · Answer

There are several other ways you could tackle this problem. 
I think the simplest is to enable the "Insert X-Forwarded-For" in the http profile attached to your virtual server. Doing this, you will be able to parse the web servers' log files for the clients you are interested in.
Alternatively, you can add a simple irule to the virtual which logs to the BigIP itself, then you can log in the /var/log/ltm:
ltm data-group internal big-customer-class {
    records {
        10.1.2.3/32 { }
        10.2.3.4/32 { }
        10.3.4.5/32 { }
        10.4.5.6/32 { }
    }
    type ip
}

ltm rule log-big-customers-rule {
    when HTTP_REQUEST {
        if { [class match [IP::client_addr] equals big-customer-class] } {
            log  "Customer [IP::client_addr] requested [HTTP::host][HTTP::uri]"
        }
    }
}

Or, you can do it the way you suggested, create a data-group with the client IPs and the corresponding SNAT addresses:
ltm data-group internal big-customer-class {
    records {
        10.1.2.3/32 { 192.168.1.1 }
        10.2.3.4/32 { 192.168.1.2 }
        10.3.4.5/32 { 192.168.1.3 }
        10.4.5.6/32 { 192.168.1.4 }
    }
    type ip
}

ltm rule snat-big-customers-rule {
    when HTTP_REQUEST {
        if { [class match [IP::client_addr] equals big-customer-class] } {
            snat [class match -value [IP::client_addr] equals big-customer-class]
        }
    }
}

lee_payne_53457 · Answer

is SNAT an actual requirement? you could always set the default gateway of the servers to be the LTM floating IP and disable SNAT, that way you get the true client IP for anything and is useful if the app doesn't support the x-forwarded-for header (or it a non HTTP/HTTPS app)

Forum Discussion

SNAT iRule needed - 1:1 mappings

7 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

run failover xxxxxx

Single LTM with multiple GTM domains

Question about adding VEs to existing physical appliance device group without ASM licenses

2026 301a exam

How can I measure Advanced WAF (ASM) throughput on a running BIG-IP VE (per VIP / per policy)?

Related Content

iRules Heat Map - US Only

API Gateway Mapping - Gartner - F5

Bigpipe Mappings

F5 TIC3.0 Capability Mappings

F5 Network Map to Json with Python

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS