cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Michael_Earnhar
Historic F5 Account

Problem this snippet solves:

According to solution 9933 available on askf5 NAT and snats do not forward traffic within route domains. This limitation is difficult to deal with but below is an effective way to create NAT and snats on LTM-v10.0.x with route domains.

How to use this snippet:

Dependencies

This iRule depends upon a single datagroup (class) of type String named iSnat_List. As well as at least 1 virtual server for SNAT only, or 2 if you want NAT functionality

Example Class

Class definition in BIG-IP

class iSnat_List {
   type string
   filename "/var/class/iSnat_List"
   }
   

Class file contents "<Source IP in IPv4%RD notation>" := "<Snat IPv4%RD>",

[root@b3400-2:Active] config # cat /var/class/iSnat_List
“10.1.161.21%1101” := “10.2.161.21%1102”,
“10.1.161.22%1101” := “10.2.161.22%1102”,

Example Snat Forwarding Virtual

virtual outbound-snat {
   ip forward
   destination any%1101:any
   mask 0.0.0.0
   rules iSnat_RD
   vlans external enable
}

Example NAT Inbound Virtual with Pool

virtual inbound-NAT-10.2.161.21 {
   pool inbound-NAT-10.2.161.21
   destination 10.2.161.21%1102:any
   vlans internal enable
}
pool inbound-NAT-10.2.161.21 {
   monitor all gateway_icmp
   members 10.1.161.21%1101:any {}
}

Code :

rule iSnat_RD {
   when CLIENT_ACCEPTED {
  set entry [class search -value iSnat_List equals [IP::client_addr]]
  if { $entry ne "" } {
    snat $entry
    node [getfield [IP::local_addr] "%" 1]%[getfield $entry "%" 2]
    #log local0. "snating src-ip [IP::client_addr] to $entry to node [getfield [IP::local_addr] "%" 1]%[getfield $entry "%" 2]."
  } else {
    log local0. "no Snat found for [IP::client_addr]"
  }
}
}
Version history
Last update:
‎18-Mar-2015 15:00
Updated by:
Contributors