For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Shawn_Puckett_8's avatar
Shawn_Puckett_8
Icon for Nimbostratus rankNimbostratus
Jul 18, 2006

SNAT iRules for Multiple Gateways

Short description: I need to use different gateways out of the F5 for SNAT IPs.     Longer version: I need some of my systems that sit behind the Big-IP to NAT to different IPs so I can have our...
application delivery
dev
devops
iRules
Deb_Allen_18's avatar
Deb_Allen_18
Historic F5 Account
Jul 18, 2006
Hi Shawn -

The gateway pool members can be monitored by multiple transparent monitors to external IP destinations via ICMP or other protocols, rather than using the default ICMP monitor. Doc on transparent monitors is here: Click here

For outbound traffic, create the pools and the SNATs to match the virtual servers as you mention above, and also a wildcard virtual server enabled on the internal VLAN (Click here,

Click here). Then apply the rule to the wildcard virtual server. The basic idea behind the rule you show would work, with one modification:
when CLIENT_ACCEPTED {
  if {[IP::addr [IP::remote_addr] equals 192.168.72.65/28]} {
    pool gateway-2
  } else {
    pool gateway -1
  }
}
CLIENT_ACCEPTED happens before the SNAT, and IP::local_addr in CLIENT_ACCEPTED is the address local to the BIG-IP (in this case the destination IP) so you'll want to look instead for the real IP.

HTH

/deb