For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

David_Noonan_67's avatar
David_Noonan_67
Icon for Nimbostratus rankNimbostratus
Apr 26, 2011

SNAT selected source addresses on a VS

We have a VS that does NOT include SNAT. Our issue is that some of the backend servers also need to use the VS and as they're on the same subnet as the VS pool servers that doesn't work without SNAT....
application delivery
dev
devops
iRules
Michael_Yates's avatar
Michael_Yates
Icon for Nimbostratus rankNimbostratus
Apr 26, 2011
I think that you will need to change from [IP::local_addr] to [IP::remote_addr]

IP::local_addr - When called in a clientside context, this command returns the IP address of the virtual server the client is connected to.

IP::remote_addr - Returns the IP address of the host on the far end of the connection.

Other methods are shown here: http://devcentral.f5.com/wiki/default.aspx/iRules/SelectiveSNAT.html

We created an iRule that does the same / similar behavior but used Data Groups to contain all of the BigIP Networks. That way the iRule could be used on any Virtual Server. You could do something similar and use a specify a SNAT Pool. 


when CLIENT_ACCEPTED {
if { [class match [IP::remote_addr] equals mynetwork] } {
snat automap
}
}