Forum Discussion

Nimbostratus

Aug 18, 2013

SNAT iRule needed - 1:1 mappings

I have a situation where logging is needed for the admins to see the real ip addresses but I need to keep snat in place. Can someone provide a sample iRule that will allow me to make static nat mappi...

Altocumulus

Aug 18, 2013

There are several other ways you could tackle this problem.

I think the simplest is to enable the "Insert X-Forwarded-For" in the http profile attached to your virtual server. Doing this, you will be able to parse the web servers' log files for the clients you are interested in.

Alternatively, you can add a simple irule to the virtual which logs to the BigIP itself, then you can log in the /var/log/ltm:

ltm data-group internal big-customer-class {
    records {
        10.1.2.3/32 { }
        10.2.3.4/32 { }
        10.3.4.5/32 { }
        10.4.5.6/32 { }
    }
    type ip
}

ltm rule log-big-customers-rule {
    when HTTP_REQUEST {
        if { [class match [IP::client_addr] equals big-customer-class] } {
            log  "Customer [IP::client_addr] requested [HTTP::host][HTTP::uri]"
        }
    }
}

Or, you can do it the way you suggested, create a data-group with the client IPs and the corresponding SNAT addresses:

ltm data-group internal big-customer-class {
    records {
        10.1.2.3/32 { 192.168.1.1 }
        10.2.3.4/32 { 192.168.1.2 }
        10.3.4.5/32 { 192.168.1.3 }
        10.4.5.6/32 { 192.168.1.4 }
    }
    type ip
}

ltm rule snat-big-customers-rule {
    when HTTP_REQUEST {
        if { [class match [IP::client_addr] equals big-customer-class] } {
            snat [class match -value [IP::client_addr] equals big-customer-class]
        }
    }
}

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)