Forum Discussion
NimbostratusSNAT to multiple addresses and ports
Hi Guys,
I have to create SNAT rule to allow some host to access external system, so they are hidden behind nated address.
I am planning to use virtual servers (Forwarding IP) for this, and the requirement is as below;
SourceIP1 ==> NAT1 to DEST1 & DEST2 on PORT1, PORT2 & PORT3
Now I have to configure more of those as bellow
SourceIP2 ==> NAT2 to DEST1 & DEST2 on PORT1, PORT2 & PORT3
. .
SourceIPn ==> NATn to DEST1 & DEST2 on PORT1, PORT2 & PORT3
You can see that it's a one to one mapping that goes to the same addresses and same ports, also destination addresses 1 & 2 are not in the same network
I there any way I can do this with a reduced number of Virtual Servers? At the moment if I don't want to open all ports to the destinations I will be forced to created 6 entries just for one line so for n lines I will need to create n*6 entries.
Is there any way I can achieve this with reduced creation of virtual servers while still maintaining strict rules (only open the ports that are required)?
I don't have much experience with F5 but I am willing to try out anything that could help achieve this.
Regards,
Fabou
1 Reply
- JRahm
Admin
you could do this with a simple iRule
when CLIENT_ACCEPTED { switch [TCP::local_port] { "80" - "8080" - "443" { if { [IP::addr [IP::client_addr] equals 10.10.10.0/24] && ([IP::addr [IP::local_addr] equals 172.16.31.5] || [IP::addr [IP::local_addr] equals 172.16.30.5]) } { snat x.x.x.x } } } }as you add more, it would make sense to move the data to a data group and use the class command to extract it. You might format like:
client_addr := snat_ip,dest_ip1,dest_ip2
so when you extract it based on client address, you can then get to each of the fields you need with the getfield command.
