For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

daveclark_20228's avatar
daveclark_20228
Icon for Nimbostratus rankNimbostratus
Jun 03, 2009

Trying to get a SNAT irule to work

Hello all , i am hoping of you very helpful people will be able help me get this working. I am not a programmer , and only just starting to learn about TCL and Irules.

 

I have a irule i want to use to snat a server (same a vip bounce back but i need to match on port as well)

 

here is my irule it excepts the syntax but does not work.

 

when CLIENT_ACCEPTED {

 

if {[matchclass [IP::client_addr] equals $::UAT_Symba_SNAT1] and ([matchclass [TCP::local_port] equals $::UAT_Symba_Port])}{

 

snat x.x.x.175

 

} elseif {[matchclass [IP::client_addr] equals $::UAT_Symba_SNAT2] and ([matchclass [TCP::local_port] equals $::UAT_Symba_Port])}{

 

snat x.x.x.176

 

} else {

 

don't do any source address translation

 

forward

 

}

 

}

 

I have modified this rule which works fines as two irules i am looking for a way of combining the two irules below , in to one.

 

when CLIENT_ACCEPTED {

 

check if client_addr = any in the class

 

if { [matchclass [IP::client_addr] equals $::XAT_Symba_SNAT1]} {

 

check if the class contains the server_port requested

 

if { [matchclass [TCP::local_port] equals $::XAT_Symba_Port]} {

 

snat using this snat pool

 

snat X.X.X.175

 

} else {

 

don't do any source address translation

 

forward

 

}

 

}

 

}

 

when CLIENT_ACCEPTED {

 

check if client_addr = any in the class

 

if { [matchclass [IP::client_addr] equals $::XAT_Symba_SNAT2]} {

 

check if the class contains the server_port requested

 

if { [matchclass [TCP::local_port] equals $::XAT_Symba_Port]} {

 

snat using this snat pool

 

snat X.X.X.176

 

} else {

 

don't do any source address translation

 

forward

 

}

 

}

 

}

 

Thanks for any help or advice
application delivery
dev
devops
iRules

2 Replies

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Jun 03, 2009
    What about 

     
 when CLIENT_ACCEPTED {  
     if {([matchclass [IP::client_addr] equals $::UAT_Symba_SNAT1]) && ([matchclass [TCP::local_port] equals $::UAT_Symba_Port])}{  
     snat x.x.x.175 
    } elseif {([matchclass [IP::client_addr] equals $::UAT_Symba_SNAT2]) && ([matchclass [TCP::local_port] equals $::UAT_Symba_Port])}{  
     snat x.x.x.176 
    } else {  
     don't do any source address translation 
     forward 
    }  
 }
  • daveclark_20228's avatar
    daveclark_20228
    Icon for Nimbostratus rankNimbostratus
    Jun 03, 2009
    Thanks

     

     

    I got this working befire the replied with this

     

     

    when CLIENT_ACCEPTED {

     

     

    if client_addr equals and server ports equals

     

    if {[IP::addr [IP::client_addr] equals a.a.a.203] and [TCP::local_port] equals 25010}{

     

    snat using this snat address as a source address

     

    snat b.b.b.b

     

     

    } else {

     

    if client_addr equals and server ports equals

     

    if {[IP::addr [IP::client_addr] equals c.c.c.204] and [TCP::local_port] equals 25010}{

     

    snat using this snat address as a source address

     

    snat d.d.d.d

     

     

    } else {

     

    don't do any source address translation and forward

     

    forward

     

    }

     

    }

     

    }

     

     

    Thnaks for your help. What a great forum, better than the response from F5 , " limited support for irules , but he did agree to look at the rule for me .

     

     

    Thanks again Cmbhatt