Forum Discussion

Kirit_Patel_521's avatar
Kirit_Patel_521
Icon for Nimbostratus rankNimbostratus
Dec 13, 2011

Wildcard virtual server for outbound and one to one SNAT problem

Folks

 

 

I have a situation where I have defined wildcard virtual server with 0.0.0.0 network and 0.0.0.0 mask with IP forwarding which will basically allow every server internal to go outbound.

 

 

Now when i define one to one SNAT for a particular server it does not work meaning the one to one snat should take precedence over wildcard . This is in 10.2.3

 

 

Here is my config. So when i initiate traffic from server 172.16.12.40 i should see traffic coming out from 204.8.131.252 not the flotaing-ip of the LOad balancer.

 

 

 

virtual out-vip {

 

ip forward

 

snat automap

 

destination any:any

 

mask 0.0.0.0

 

}

 

snat out-204.8.131.252 {

 

translation 204.8.131.252

 

origins 172.16.12.40

 

vlans VLAN12-T1-SandP enable

 

}

 

 

 

config
design
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Dec 13, 2011
    Sounds logical as I believe the VS is hit before the separate SNAT is done. And as the VS has automap, the separate SNAT never gets hit because the server has already been SNAT'ed to the floating IP of the BigIP.

    You could work around this with an iRule on the VS. A nice simple one such as 

    
when CLIENT_ACCEPTED {
    if { [IP:addr [IP::client_addr] equals "172.16.12.40"] } {
      snat 204.8.131.252
      return
   }
  snat automap
}

    And remove the automap from the VS itself (Because the iRule does it for you. You could play with the iRule a bit and get it to use a datagroup as well for the matching... make it a bit more flexible when you want to change the IP's...
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 24, 2011
    Sounds logical as I believe the VS is hit before the separate SNAT is done. i agree with Hamish.

     

     

    just in case if you have not yet seen this sol.

     

     

    sol9038: The order of precedence for local traffic object listeners

     

    http://support.f5.com/kb/en-us/solutions/public/9000/000/sol9038.html
    • kev_245_28249's avatar
      kev_245_28249
      Icon for Nimbostratus rankNimbostratus
      Nov 28, 2013
      I wish this SOL mentioned SNAT vs IP Forward. If you have a 0.0.0.0/0 IP Forward and a Snat configured it does't talk about this scenario
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Dec 24, 2011
    Sounds logical as I believe the VS is hit before the separate SNAT is done. i agree with Hamish.

     

     

    just in case if you have not yet seen this sol.

     

     

    sol9038: The order of precedence for local traffic object listeners

     

    http://support.f5.com/kb/en-us/solutions/public/9000/000/sol9038.html
    • kev_245_28249's avatar
      kev_245_28249
      Icon for Nimbostratus rankNimbostratus
      Nov 28, 2013
      I wish this SOL mentioned SNAT vs IP Forward. If you have a 0.0.0.0/0 IP Forward and a Snat configured it does't talk about this scenario