Forum Discussion
NimbostratusSNAT PBR Irule
Hi, I am trying to replicate Cisco PBR configuration in F5 LTM using an irule, I have a condition, if Local_Client = 192.168.11.10 is trying to access Remote_Server = 192.168.12.10, I want to translate the source to SNAT_IP = 192.168.12.10.
I have to put the irule to a forwarding virtual server that forwards traffic for all the inside clients to outside...and vice versa...I just want to put the conditional SNAT for the Local_Client.
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 192.168.11.10/32] } { if { [IP::addr [IP::remote_addr] equals 192.168.13.10/32 ] } { snat 192.168.12.10 } } }
I have tried it but it does not seem to work, need your experts' suggestion.
3 Replies
Brad_ParkerCirrus
I don't think client_accepted will work in this case since you are using a Forwarding(IP) VIP and the first packet will be sent to the destination before the three way handshake is complete. What version are you running? If you are running 11.5+ you can create you forwarding(IP) VIP with source and destination and just apply your SNAT to that VIP.
">https://devcentral.f5.com/wiki/iRules.CLIENT_ACCEPTED.ashx" target="_blank">">https://devcentral.f5.com/wiki/iRules.CLIENT_ACCEPTED.ashx
WUM_113639What does ip any profile does...I want to permit both TCP and UDP from source to destination...but when I select all protocol...this profile (ipother) is getting applied...which according to help says any traffic other than tcp & udp?
- nitass
Employee
it seems in case of fastL4 CLIENT_ACCEPTED is triggered before finishing 3-ways handshake.
e.g.
snat 123.123.123.123 is dummy one (invalid). so, 3-ways handshake will never be established.configuration root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual norf ltm virtual norf { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { fastL4 { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 7 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when CLIENT_ACCEPTED { log local0. "" if { [IP::addr [IP::client_addr] equals 172.28.24.1/32] } { snat 123.123.123.123 } } when SERVER_CONNECTED { log local0. "" } } trace [root@ve11a:Active:In Sync] config tcpdump -nni 0.0 -s0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 11:54:12.913262 IP 172.28.24.1.56738 > 172.28.24.10.80: S 3457045251:3457045251(0) win 5840 in slot1/tmm0 lis= 11:54:12.913445 IP 123.123.123.123.56738 > 200.200.200.101.80: S 3457045251:3457045251(0) win 5840 out slot1/tmm0 lis=/Common/norf /var/log/ltm [root@ve11a:Active:In Sync] config cat /var/log/ltm Dec 9 11:54:10 ve11a notice tmm1[14890]: 013e0001:5: Tcpdump starting bcast on 127.1.1.3:2 from 127.1.1.1:35239 Dec 9 11:54:10 ve11a notice tmm[14890]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:35239 Dec 9 11:54:12 ve11a info tmm[14890]: Rule /Common/qux : Dec 9 11:54:18 ve11a notice tmm1[14890]: 013e0002:5: Tcpdump stopping on 127.1.1.3:2 from 127.1.1.1:35239 Dec 9 11:54:18 ve11a notice tmm[14890]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:35239
