Forum Discussion
anuj_2931
Aug 13, 2012Nimbostratus
SNAT irule question
Hi Guys,
On a Virtual server, which has apache servers as pool memebers, we have snat enabled on it. The servers are in 192.168.14.0/24 subnet. The other subnet in our network is192.168.10.0. The f5 ltm has floating IP's in for both subnets.
Now I want to remove SNAT because, we want to get client IP's which come over the internet to access our webservers.
Currently on our apache server, the default gateway is set as 192.168.14.1 (edge firewall).
This is my plan to make this happen. Please let me know if this looks good.
1. Remove SNAT on virtual server.
2. Add irule which does "snat automap" if the client is local 192.168.10.0/24 and 14.0/24. Otherwise just forward.
when CLIENT_ACCEPTED {
check if client_addr = any in the class
if { [matchclass [IP::client_addr] equals $::Hosts]} {
snat automap
} else {
don't do any source address translation
forward
}
}
3. Add default gateway as 14.236 (floating ip of LTM). Add static routes for 10.0/24 and 14.0/24
pointing to fiewall (14.1).
Do you think this will work.
- hoolioCirrostratusHi Anuj,
when CLIENT_ACCEPTED { Check if client_addr is in the Hosts data group if { [matchclass [IP::client_addr] equals Hosts] } { Apply SNAT just for this connection snat automap } }
- hoolioCirrostratusHere's the selective SNAT example I was referring to. You can use this if you want to only SNAT when the client and server are on the same subnet.
when LB_SELECTED { if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} { snat automap } }
- anuj_2931NimbostratusThanks Aaron for the response.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects