Forum Discussion

JohnQuintas_910

Nimbostratus

Oct 16, 2015

SNAT outbound connections from pool members to virtual server IP for a specific outbound port

I have a virtual server for inbound ftp connections

Virtual server: 1.1.1.1:21, using the standard FTP profile and source_addr persistence, 30 min timeout

Pool Members:

10.0.0.10:21
10.0.0.11:21

I also have a wildcard IP forwarding virtual server to enable full routing on the LTM:

destination: 0.0.0.0
source: 0.0.0.0

How can I SNAT outbound FTP connections from 10.0.0.10 and 10.0.0.11 (originating from the pool members on the stardard ftp control port 21, with ftp-data on port 20) to the virtual server ip: 1.1.1.1, and allow all other outbound connections to pass normally without being SNATTED?

Can this be done via an "Intelligent SNAT" / iRule on the wildcard IP forwarding virtual server?

Any help would be greatly appreciated

application delivery

LTM

16 Replies

Andy_McGrath

Cumulonimbus

Oct 20, 2015

No 'Source' value is only the ip subnet only not the port, the following irule will monitor the client port (in this case the FTP server port) and uses 'switch' instead of lots of 'elseif' statements.

when CLIENT_ACCEPTED {
    if { [TCP::client_port] == 21] || [TCP::client_port] == 22] }{
    switch [IP::addr [IP::client_addr] mask 255.255.255.255]
            "10.0.0.10" { snat 172.18.1.1 } 
            "10.0.0.11" { snat 172.18.1.1 }
            "10.0.0.12" { snat 172.18.1.2 }
            "10.0.0.13" { snat 172.18.1.2 }
            "10.0.0.14" { snat 172.18.1.3 }
            "10.0.0.15" { snat 172.18.1.3 }
    }
}

Having said that is this for return traffic from FTP server to client?

JohnQuintas_910

Nimbostratus

Oct 21, 2015

Can I have multiple IP forwarding virtual servers if I have a wildcard source / wildcard destination / wildcard port in place already?

(1) IP forwarding virtual server 1 - source: 0.0.0.0, destination: 0.0.0.0, any port (already in place to allow full routing)

(2) IP forwarding virtual server 2 - source: 10.0.0.0/24, destination: 0.0.0.0, port 21 with the following irRule applied:

when CLIENT_ACCEPTED {
    if { [TCP::client_port] == 21] }{
    switch [IP::addr [IP::client_addr] mask 255.255.255.255]
            "10.0.0.10" { snat 172.18.1.1 } 
            "10.0.0.11" { snat 172.18.1.1 }
            "10.0.0.12" { snat 172.18.1.2 }
            "10.0.0.13" { snat 172.18.1.2 }
            "10.0.0.14" { snat 172.18.1.3 }
            "10.0.0.15" { snat 172.18.1.3 }
    }
}

(3) IP forwarding virtual server 3 - source: 10.0.0.0/24, destination: 0.0.0.0, port 22 with the following iRule applied:

when CLIENT_ACCEPTED {
    if { [TCP::client_port] == 22] }{
    switch [IP::addr [IP::client_addr] mask 255.255.255.255]
            "10.0.0.10" { snat 172.18.1.1 } 
            "10.0.0.11" { snat 172.18.1.1 }
            "10.0.0.12" { snat 172.18.1.2 }
            "10.0.0.13" { snat 172.18.1.2 }
            "10.0.0.14" { snat 172.18.1.3 }
            "10.0.0.15" { snat 172.18.1.3 }
    }
}

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)