F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Jose_Nelson_206's avatar
Jose_Nelson_206
Icon for Nimbostratus rankNimbostratus
Mar 02, 2017

SNAT using specific IP based on the client IP range

I'm needing to use an iRule to determine if a client connection comes from IP 10.1.0.0/25 then SNAT using a specific IP instead of the default AutoMap SNAT IP. I found the iRule below and have tried several variations of it, to no avail. I'm running 11.6.0 HF6 on a test LTM. I can't even save the iRule below without getting errors, even though the iRule below, as I mentioned, is just a starting point. Also, I'm not good at iRules so I'm not trying to get complicated.

 

This is the iRule I used as my starting point:

 

when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.0.0.1] { snat 172.18.1.1 } elseif { [IP::addr [IP::client_addr] equals 10.0.0.2] } }{ snat 172.18.1.2 } elseif { [IP::addr [IP::client_addr] equals 10.0.0.3] } }{ snat 172.18.1.3 } }

 

This is essentially what I would like to accomplish: when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.1.0.0/25] { snat 10.1.5.5 } }

 

I'm assuming, in my example above, that if my client IP does NOT equal 10.1.0.0/25 then it would NOT SNAT using 10.1.5.5 and instead would default to the configured AutoMap IP. This is basically what I'm trying to accomplish.

 

To put it another way, if my client comes from within my organization, I want to SNAT using IP A, if my client comes from outside my organization, I want to snat using IP B.

 

application delivery
iRules
LTM

7 Replies

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Mar 02, 2017

    Here is an example:

    if { [IP::addr [IP::client_addr] equals 10.1.0.0/25] } {
    snat 10.1.5.5
}
else {
    snat automap
}
  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Mar 02, 2017

    If it is OK for you, you can use two VS with same destination IP, same port, but different source addresses, one with 10.1.0.0/25 and the other with 0.0.0.0/0. The most specific will match first if client comes from 10.1.0.0/25, the less specific will match other connections. You then can play with the SNAT setting without an irule.

     

  • Jose_Nelson_206's avatar
    Jose_Nelson_206
    Icon for Nimbostratus rankNimbostratus
    Mar 02, 2017

    Amine, Thank you for this suggestion. It may indeed be something I can use in the future. I'll have to try it in my test environment. For the time being I will need to stick to finding an iRule method.

     

  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Mar 02, 2017
     when CLIENT_ACCEPTED {      
   if { [IP::addr [IP::client_addr] equals 10.1.0.0/25]} {        
     snat 10.1.5.5          
   }       
 }
    • Kevin_Davies_40's avatar
      Kevin_Davies_40
      Icon for Nacreous rankNacreous
      Mar 02, 2017

      You were close just missing a close brace at the end of the if condition.

       

    • Jose_Nelson_206's avatar
      Jose_Nelson_206
      Icon for Nimbostratus rankNimbostratus
      Mar 02, 2017

      Thank you Kevin for tidying up. I'm going to accept James Lee's answer since it initially led me in the correct direction. Below is what I ended up with that does what I need. Thank you both!

       

      when CLIENT_ACCEPTED {

       

      if { [IP::addr [IP::client_addr] equals 10.1.0.0/25]} {

       

      snat 10.1.5.5

       

      }

       

      else { snat 10.1.5.6 } }