Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Kirit_Patel_521's avatar
Kirit_Patel_521
Icon for Nimbostratus rankNimbostratus
Dec 13, 2011

Wildcard virtual server for outbound and one to one SNAT problem

Folks     I have a situation where I have defined wildcard virtual server with 0.0.0.0 network and 0.0.0.0 mask with IP forwarding which will basically allow every server internal to go outbound...
config
design
Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Dec 13, 2011
Sounds logical as I believe the VS is hit before the separate SNAT is done. And as the VS has automap, the separate SNAT never gets hit because the server has already been SNAT'ed to the floating IP of the BigIP.

You could work around this with an iRule on the VS. A nice simple one such as 


when CLIENT_ACCEPTED {
    if { [IP:addr [IP::client_addr] equals "172.16.12.40"] } {
      snat 204.8.131.252
      return
   }
  snat automap
}

And remove the automap from the VS itself (Because the iRule does it for you. You could play with the iRule a bit and get it to use a datagroup as well for the matching... make it a bit more flexible when you want to change the IP's...