For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

shawmcbigdis_84's avatar
shawmcbigdis_84
Icon for Nimbostratus rankNimbostratus
Jul 23, 2009

SNAT iRule problem

I'm trying to get snat to work for only outbound internet connections, not for internal addresses. I am using the following rule;     when SERVER_CONNECTED {     Compare destina...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jul 23, 2009
Hi Shawn,

 

 

The SERVER_CONNECTED event is too late to change the SNAT configuration as the serverside connection has already been established. It should work if you change to LB_SELECTED which is triggered when a load balancing decision has been made. You would also want to use LB::server to get the IP address of the selected destination host instead of IP::server_addr.

 

 

[Edit: as Denny pointed out, if this is a VIP with address translation disabled (like a forwarding VIP), you could use CLIENT_ACCEPTED and IP::local_addr to check the destination IP address.]

 

 

That said, you could probably define two separate virtual servers--one enabled only on the external VLAN for external clients and one on the internal VLAN only for internal clients. You could then enable SNAT only on the one virtual server.

 

 

Aaron