Forum Discussion

Damián_41877's avatar
Icon for Nimbostratus rankNimbostratus
Jun 13, 2011

SNAT only for outbonding connections to external IP addressess

Hi guys



I need to create a iRule to SNAT the outbonding connections ONLY when their destination is internet, i.e., when the destination IP address does not belong to the internal addresses (INTRANET): are the INTRANET IP addresses. are the private IP addresses. are the (fictitious) PUBLIC IP addresses



When a *private* node (for instance, tries to open a connection to internet (FTP, wget,...) the company firewall denies. Therefore, I must ask to security team to allow EVERY connection to go out through the firewall.


But if those outbonding connections might be originated from a PUBLIC IP address (for instance, no request to security team would be needed (because the firewall allows outbonding connections from any PUBLIC node). My idea is use SNAT ONLY in those cases.



What is the most event suitable event?



Thanx in advance


5 Replies

  • can u try this?





    if {!([IP::addr [IP::local_addr] equals]) and \


    !([IP::addr [IP::local_addr] equals]) and \


    !([IP::addr [IP::local_addr] equals])} {


    snat X.X.X.X




  • Or you could add the IP ranges to an address type datagroup and then use the class match command (v10) or matchclass command (v9) to look up the client's destination address:






  • Colin_Walker_12's avatar
    Historic F5 Account
    Generally speaking the class commands (v10) are going to be faster than a multiple if comparison, if performance is an issue. They're also far more scalable.



  • Thanks everybody



    The iRule code provided by nitass worked fine!


    And the matchclass command also run fine.


  • Colin_Walker_12's avatar
    Historic F5 Account
    Awesome, that's good news. Keep DC in mind if you've got more questions.