Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

anuj_2931's avatar
anuj_2931
Icon for Nimbostratus rankNimbostratus
Aug 13, 2012

SNAT irule question

Hi Guys, On a Virtual server, which has apache servers as pool memebers, we have snat enabled on it. The servers are in 192.168.14.0/24 subnet. The other subnet in our network is192.168.10.0. The ...
application delivery
dev
devops
irules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Aug 13, 2012
Hi Anuj,

That sounds about right. If you're on 9.4.4 or higher, you should remove the $:: prefix on the Hosts data group name. Also, you don't need to use the forward command to avoid SNAT--just leave the else clause off and any client IP which isn't in the Hosts data group will not be SNAT'd:

Hi Anuj,

If the clients are on the same subnet as the servers you must SNAT them to ensure the servers reply back to the client through LTM. If the servers' default gateway is set to the LTM self IP on their subnet, all clients not local to the server subnet would be fine without SNAT. To do this a bit simpler, you could use this iRule:

http://devcentral.f5.com/wiki/iRules.SelectiveSNAT.ashx

If you do need to specify other subnets you want to SNAT, you can use this simplified iRule. Note that for 9.4.4 and higher, you should remove the $:: prefix from the data group name in the iRule. And you don't need to use the forward command to avoid SNAT--just leave out the else clause. 


when CLIENT_ACCEPTED {

    Check if client_addr is in the Hosts data group
   if { [matchclass [IP::client_addr] equals Hosts] } {

       Apply SNAT just for this connection
      snat automap
   }
}

Aaron