Forum Discussion
NimbostratusSNAT outbound connections from pool members to virtual server IP for a specific outbound port
I have a virtual server for inbound ftp connections
Virtual server: 1.1.1.1:21, using the standard FTP profile and source_addr persistence, 30 min timeout
Pool Members:
10.0.0.10:21
10.0.0.11:21
I also have a wildcard IP forwarding virtual server to enable full routing on the LTM:
destination: 0.0.0.0
source: 0.0.0.0
How can I SNAT outbound FTP connections from 10.0.0.10 and 10.0.0.11 (originating from the pool members on the stardard ftp control port 21, with ftp-data on port 20) to the virtual server ip: 1.1.1.1, and allow all other outbound connections to pass normally without being SNATTED?
Can this be done via an "Intelligent SNAT" / iRule on the wildcard IP forwarding virtual server?
Any help would be greatly appreciated
16 Replies
- alex100
Cirrostratus
Hi John, You need to create a Sant List. 1. Go to LocalTraffic>AddressTranslation>SNAT List 2. Create New SnatList with following configuration: Translation | IP Address| 1.1.1.1 Origin | Address List
3.Add 10.0.0.10 and 10.0.0.11 to the Address List. Update.Snat List will be applied to all matching outbound connections. It doesn't need to be associated with vs.
JohnQuintas_910But I only want to SNAT for outbound FTP connections only (port 21 and port 20), not SNAT for everything sourced from 10.0.0.10 and 10.0.0.11
anujl_5566https://devcentral.f5.com/questions/snat-irule-based-on-client-ip-address
you will need something like above.
Andy_McGrathCumulonimbus
Think you will need an iRule like this to identify the client IP and tcp port for each outbound connection:
when CLIENT_ACCEPTED { if { [TCP::local_port] == 21] || [TCP::local_port] == 22] }{ if { [IP::addr [IP::client_addr] equals 10.0.0.10] { snat 172.18.1.1 } elseif { [IP::addr [IP::client_addr] equals 10.0.0.11] }{ snat 172.18.1.1 } } }- JohnQuintas_910
Does this syntax look correct? I have a few more pairs of IPs that need SNATs...
when CLIENT_ACCEPTED {
if { [TCP::local_port] == 21] || [TCP::local_port] == 22] }{ if { [IP::addr [IP::client_addr] equals 10.0.0.10] }{ snat 172.18.1.1 } elseif { [IP::addr [IP::client_addr] equals 10.0.0.11] }{ snat 172.18.1.1 } elseif { [IP::addr [IP::client_addr] equals 10.0.0.12] }{ snat 172.18.1.2 } elseif { [IP::addr [IP::client_addr] equals 10.0.0.13] }{ snat 172.18.1.2 } elseif { [IP::addr [IP::client_addr] equals 10.0.0.14] }{ snat 172.18.1.3 } elseif { [IP::addr [IP::client_addr] equals 10.0.0.15] }{ snat 172.18.1.3 } }}
- JohnQuintas_910
Or is there a way to do this with a specific IP forwarding VIP (without using iRules on a the wildcard IP forwarding VIP)?
Stanislas_Piro2Hi,
First, when creating a forwarding VS, create a specific VS for FTP:
VS_OUT_FTP
- Type Standard
- Destination 0.0.0.0/0
- profile ftp
- translate disable (default when creating a VS with a network destination)
- Pool none
This will allow FTP dynamic port to be handled as FTP Data connection.
After that, you can create the irule with switch instead of if, elseif, elseif, ..
when CLIENT_ACCEPTED { switch [IP::client_addr] { "10.0.0.10" - "10.0.0.11" { snat 172.18.1.1 } "10.0.0.12" - "10.0.0.13" { snat 172.18.1.2 } "10.0.0.14" - "10.0.0.15" { snat 172.18.1.3 } } }
Brad_Parker_139Nacreous
You could create your VIP with dest 0.0.0.0:21 and source 10.0.0.10/31 and apply your SNAT pool to it. And then the same for port 20.
- Stanislas_Piro2FTP data in active mode is not Client (port dynamic) --> server (port 20) but server (port 20) --> Client (port dynamic)
- Brad_Parker_139very true, your FTP profile solutions is more appropriate so the data channel is "known" by the LTM
- Brad_Parker
Cirrus
You could create your VIP with dest 0.0.0.0:21 and source 10.0.0.10/31 and apply your SNAT pool to it. And then the same for port 20.
- Stanislas_Piro2FTP data in active mode is not Client (port dynamic) --> server (port 20) but server (port 20) --> Client (port dynamic)
- Brad_Parkervery true, your FTP profile solutions is more appropriate so the data channel is "known" by the LTM
- JohnQuintas_910
So, you can create a ip forwarding rule for AnyIP:21 destination from a SingleIP:21 source?
