For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Arun_102398's avatar
Arun_102398
Icon for Nimbostratus rankNimbostratus
Jun 02, 2010

subnet access to a proxy

We have a seperate LB in our environment to load balance proxies on our network.

 

So, as part of it. we would like to restrct a prticuar subnet to access a seperate proxy IP which is under a pool.So, we created an iRule. But, it did not give desired reqult. Below are the details of rule:

 

 

Ex Internal subnet: 172.16.25.x

 

Ex Proxy IP: 216.64.12.215

 

data grroup: poc_proxy_test which has the internal subnet.

 

 

iRule as created.

 

------------------

 

 

when CLIENT_ACCEPTED { if { [matchclass [IP::client_addr] equals $::poc_proxy_test] } {

 

IronPort Address

 

node 216.64.12.215[TCP::server_port] }

 

}

 

 

application delivery
dev
devops
iRules

2 Replies

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Jun 03, 2010
    What were the unexpected results / behavior that you are trying to work around?

    I'm guessing Port Translation?

    I think that your problem is that your trying to specify a connection to the server using [TCP::server_port]. Your trying to retrieve the port number to a node that you haven't established a connection with yet.

    [TCP::server_port] = The serverside part of the LTM<->server connection.

    I think that you should try changing it to use [TCP::client_port]. This would take the incoming connection port from the user (80, 443, etc) and send the traffic to the destination IP Address using that port.

    [TCP::client_port] = The clientside part of the client<->LTM connection.

    Another shortcut to that is to specify Port 0, which is the LTM's default 1 to 1 mapping for ports. 

     
when CLIENT_ACCEPTED { 
if { [matchclass [IP::client_addr] equals $::poc_proxy_test] } {
 IronPort Address
node 216.64.12.215 0
}
 }