Forum Discussion
Damián_41877
Jun 13, 2011Nimbostratus
SNAT only for outbonding connections to external IP addressess
Hi guys
I need to create a iRule to SNAT the outbonding connections ONLY when their destination is internet, i.e., when the destination IP address does not belong to the internal addresses (INTRANET):
10.9.0.0/16 are the INTRANET IP addresses.
172.172.172.0/24 are the private IP addresses.
200.201.202.0/24 are the (fictitious) PUBLIC IP addresses
When a *private* node (for instance, 172.172.172.11) tries to open a connection to internet (FTP, wget,...) the company firewall denies. Therefore, I must ask to security team to allow EVERY connection to go out through the firewall.
But if those outbonding connections might be originated from a PUBLIC IP address (for instance 200.201.202.5), no request to security team would be needed (because the firewall allows outbonding connections from any PUBLIC node). My idea is use SNAT ONLY in those cases.
What is the most event suitable event?
Thanx in advance
- nitassEmployeecan u try this?
- hooleylistCirrostratusOr you could add the IP ranges to an address type datagroup and then use the class match command (v10) or matchclass command (v9) to look up the client's destination address:
- Colin_Walker_12Historic F5 AccountGenerally speaking the class commands (v10) are going to be faster than a multiple if comparison, if performance is an issue. They're also far more scalable.
- Damián_41877NimbostratusThanks everybody
- Colin_Walker_12Historic F5 AccountAwesome, that's good news. Keep DC in mind if you've got more questions.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects