For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nat_Thirasuttakorn's avatar
Nat_Thirasuttakorn
Icon for Employee rankEmployee
Jan 25, 2005

use rule to configure destination address translation

Hi all,

 

 

is it possible to use rule to control destination address translation

 

for example,

 

 

if uri = *.f5.com

 

no address translation

 

pool proxy1

 

 

else

 

pool proxy2

 

 

 

usually, we can only configure to enable or disable destination address translation in virtual server...
application delivery
dev
devops
iRules

6 Replies

  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Jan 26, 2005
    There currently is not a rule command to disable/enable NAT. I have added a request for this command.

     

     

    However, you can currently disable the NAT on the pool and then select between the different pools.

     

  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Jan 26, 2005
    Yes, you can configure it on the pool.

     

     

    In the GUI, make sure you select Advanced on the Pool page and then you will see the disable NAT attribute.

     

     

    On bigpipe, you should be able to do the following:

     

     

    bigpipe pool poolB nat disable

     

  • Erick_Hammersm1's avatar
    Erick_Hammersm1
    Historic F5 Account
    Feb 07, 2005
    Disabling NAT on a pool will prevent the source IP addresses of connections load balanced through that pool from being translated by a NAT, just as disabling SNAT on a pool will prevent the source IP addresses of connections load balanced through that pool from being translated by a SNAT.

     

     

    Is there an iRule command to disable destination address translation? Something equivalent to "translate addr disable" on the VIP?
  • rapmaster_c_127's avatar
    rapmaster_c_127
    Historic F5 Account
    Feb 07, 2005
    [blockquote] Disabling NAT on a pool will prevent the source IP addresses of connections load balanced through that pool from being translated by a NAT [/blockquote]

     

     

    Not in v9. Disabling NAT on a pool in v9 prevents the destination address from being translated. We probably should have called it "DNAT".

     

     

    So, to summarise

     

     

    v4.x terminology:

     

     

    "SNAT" : "Stateful/Secure" NAT, source address translation.

     

    "NAT" : stateless NAT, source address translation.

     

     

    v9 terminology:

     

     

    "SNAT" : "Source" NAT.

     

    "NAT" : Destination NAT.

     

     

    All entities in v9 are stateful in the interests of security, unless loose initiations/closes are enabled in the fastL4 profile. (And even then it's stateful under the covers.)
  • janholtz's avatar
    janholtz
    Icon for Altostratus rankAltostratus
    Oct 07, 2010
    Easy

     

    Create another virtual server which DOES have address / port translation enabled. (Fast L4 works fine)

     

    Then select this vs with "virtual"

     

    eg:

     

    Heres an iRule that makes a certain non-intercepting proxy (polipo) work in intercepting mode:

     

     

     

    when HTTP_REQUEST {

     

    if { ![IP::addr [IP::client_addr] equals 192.168.101.180]} {

     

    set httphost [HTTP::host]

     

    set httpuri [HTTP::uri]

     

    set request "http://$httphost$httpuri"

     

    log local0. "request $request"

     

    HTTP::uri $request

     

    virtual vs_proxy

     

    }

     

    }

     

     

     

     

    Jan

     

    'Aut Viam Inveniam Aut Faciam'

     

    Holtzhausen