Forum Discussion
CirrusSNAT not working
I've been working on this issue all day - I'm using a virtual device as a passthrough between the internal network and DMZ. I need to NAT a subnet in the 10.X.X.X space when going to the internet and keep it native when it's accessing 10.X.X.X networks.
ltm snat-translation 20.15.30.98 { address 20.15.30.98 inherited-traffic-group true partition DMZ traffic-group /Common/traffic-group-1 } ltm virtual ip-forwarding { destination 10.22.32.0%1:any ip-forward mask 255.255.224.0 partition DMZ profiles { /Common/fastL4 { } } source 10.22.12.0/24 translate-address disabled translate-port disabled vlans { vlan12-dmz vlan120-dmz } vlans-enabled vs-index 25 } ltm virtual ip-forwarding-default { destination 0.0.0.0%1:any ip-forward mask any partition DMZ profiles { /Common/fastL4 { } } source 10.22.12.0/24 translate-address disabled translate-port disabled vlans { vlan12-dmz vlan4-dmz-ext } vlans-enabled vs-index 26 } net route route_10.22.32.0_19 { gw 10.22.120.1 network 10.22.32.0/19 partition DMZ } net route default-route { gw 20.15.30.97 network default partition DMZ
6 Replies
- nitass
Employee
how did you apply the snat ip 20.15.30.98 to ip-forwarding-default virtual server?
shouldn't it be easier to create snatpool and assign to the virtual server?
VFBNo virtual server configured. This is a subnet with servers behind it that needs to call the internet for service patches that I need to NAT while going outbound but remain native when I'm inside my RFC1918.
- nitass_89166
Noctilucent
how did you apply the snat ip 20.15.30.98 to ip-forwarding-default virtual server?
shouldn't it be easier to create snatpool and assign to the virtual server?
- VFB
No virtual server configured. This is a subnet with servers behind it that needs to call the internet for service patches that I need to NAT while going outbound but remain native when I'm inside my RFC1918.
Stanislas_Piro2Cumulonimbus
Next time you ask a question, post formatted code. Here is the formatted configuration :
ltm snat-translation 20.15.30.98 { address 20.15.30.98 inherited-traffic-group true partition DMZ traffic-group /Common/traffic-group-1 } ltm virtual ip-forwarding { destination 10.22.32.0%1:any ip-forward mask 255.255.224.0 partition DMZ profiles { /Common/fastL4 { } } source 10.22.12.0/24 translate-address disabled translate-port disabled vlans { vlan12-dmz vlan120-dmz } vlans-enabled vs-index 25 } ltm virtual ip-forwarding-default { destination 0.0.0.0%1:any ip-forward mask any partition DMZ profiles { /Common/fastL4 { } } source 10.22.12.0/24 translate-address disabled translate-port disabled vlans { vlan12-dmz vlan4-dmz-ext } vlans-enabled vs-index 26 } net route route_10.22.32.0_19 { gw 10.22.120.1 network 10.22.32.0/19 partition DMZ } net route default-route { gw 20.15.30.97 network default partition DMZ }- nitass
No virtual server configured. This is a subnet with servers behind it that needs to call the internet for service patches that I need to NAT while going outbound but remain native when I'm inside my RFC1918.
okay, what about creating snat list to snat outbound traffic and rfc1918 network virtual server with snat disabled for traffic destined to rfc1918 subnet?
"SNAT objects take effect on all traffic through a system, even a virtual server, unless that traffic is already subjected to SNATs by the virtual server"
K9038: The order of precedence for local traffic object listeners
https://support.f5.com/csp/article/K9038
