SRC and DST Match Irule for NATting

Sorry but I'm rather confused by what is in the DG_DEST Data Group and your logic here. So, if our client source IP matches DG_SRC we move on to checking for what against DG_DEST? The destination IP? If so, then you are still using the client source IP address for your check and it will always fail the check.

You are right, I have made the change by using IP::local_addr as the destination IP. I am still unsure on how to set the snatpoolname to the value in DG_DEST though

 

 

when CLIENT_ACCEPTED {

 

This iRule would NAT the source IP in the DG_SRC and match it to a destination in DG_DEST

 

and then snat to the snatpool defined in DG_DEST as the value corresponding to the name.

 

if { [class match [IP::client_addr] equals "DG_SRC" ] } {

 

if { [set snatpoolname [class match [IP::local_addr] equals "DG_DEST" ]] } {

 

log local0. "Got Natted to $snatpoolname"

 

snatpool $snatpoolname

 

}

 

}

 

else { forward

 

log local0. "NOT GETTING NATTED !!!"

 

}

 

}

Try this;

when CLIENT_ACCEPTED {
 This iRule would NAT the source IP in the DG_SRC and match it to a destination in DG_DEST
 and then snat to the snatpool defined in DG_DEST as the value corresponding to the name.
 if { [class match [IP::client_addr] equals "DG_SRC" ] } {
  set snatpoolname [class match -value [IP::local_addr] equals "DG_DEST" ]]
  if { not $snatpoolname equals "" } {
    log local0. "Got Natted to $snatpoolname"
   snatpool $snatpoolname
   return
   }
 }
 else { forward
log local0. "NOT GETTING NATTED !!!"
}
}

With a bit of modification to the iRule to get it working properly, the matching part between the two DG's are working perfectly. However, if a SRC IP initiates that is not in the DG_SRC, it does not go to the else statement.

when CLIENT_ACCEPTED {
 This iRule would NAT the source IP in the DG_SRC and match it to a destination in DG_DEST
 and then snat to the snatpool defined in DG_DST as the value corresponding to the name.
 if { [class match [IP::client_addr] equals "DG_SRC" ] } {
  set snatip [class match -value [IP::local_addr] equals "DG_DST" ]]
  if { not ($snatip equals "") } {
   log local0. "[IP::client_addr] going to [IP::local_addr] got Natted to $snatip"
   snat $snatip
   }
 }
 else { forward
log local0. "[IP::client_addr] going to [IP::local_addr] did NOT get Natted!!!"
}
}

 

Can you remove the 'forward' command. If that doesn't work, add a bit more logging and another 'else' statement like so;

when CLIENT_ACCEPTED {
 This iRule would NAT the source IP in the DG_SRC and match it to a destination in DG_DEST
 and then snat to the snatpool defined in DG_DST as the value corresponding to the name.
 if { [class match [IP::client_addr] equals "DG_SRC" ] } {
  set snatip [class match -value [IP::local_addr] equals "DG_DST" ]]
  if { not ($snatip equals "") } {
   log local0. "[IP::client_addr] going to [IP::local_addr] got Natted to $snatip"
   snat $snatip
   return
   }
   else
   log local0. "SNAT IP was empty"
 }
 else {
log local0. "[IP::client_addr] going to [IP::local_addr] did NOT get Natted!!!"
}
}

here is what I get from the log file, after I made the changes you suggested.

 

 

Rule iRule_nat_src_dst : 10.250.x.x going to 10.10.xx.xxx got Natted to ]

 

Rule iRule_nat_src_dst : 10.250.x.x going to 173.xxx.x.xx got Natted to 212.xxx.xxx.xxx]

 

Rule iRule_nat_src_dst : 10.250.x.x going to 173.xxx.x.xx got Natted to 212.xxx.xxx.xxx]

 

 

the first line is an IP that will not be in the destination DG, yet, instead of not NATting it, it does.

Ah, remove one of the ']'s on this line: set snatip [class match -value [IP::local_addr] equals "DG_DST" ]] <<<<

lol .. funny how something that obvious can be so easily missed. Working like a charm now! Many thanks

Happens all the time. Glad it's working and you're welcome.