For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

quickref_74249's avatar
quickref_74249
Icon for Nimbostratus rankNimbostratus
Oct 05, 2010

SNAT with Data group list

Hi,     i searched the forum already and according to the posts i found i can't find the problem with my setup.   We use source NAT per default in our environment. therfore we have created a ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Oct 14, 2010
If you're on 9.4.4 or higher, you should change the matchclass line to remove the $:: prefix from the datagroup name: 


    if {[matchclass [IP::client_addr] equals BAC]}{

You can also add another debug line inside the if statement to see which condition in the rule is being matched: 


rule BAC_NAT {
when CLIENT_ACCEPTED {
    log local0. "[IP::client_addr]:[TCP::client_port]: New connection to [IP::local_addr]:[TCP::local_port]"
    if {[matchclass [IP::client_addr] equals BAC]}{
       log local0. "[IP::client_addr]:[TCP::client_port]: Matched BAC datagroup, using AC_TEST snatpool"
      snatpool AC_TEST
     } else {
       log local0. "[IP::client_addr]:[TCP::client_port]: No BAC datagroup match, using ServerSNATpool snatpool"
      snatpool ServerSNATpool
    }
}
}

Aaron