Dynamic 1:1 SNAT irule
Hi guys - looking for some feedback regarding my irule for 1:1 dynamic NAT. e.g we might use 10/8 on the client inside but then have only have a /17 pool on public outside, although over allocated this works because not all the 10/8 are allocated at one time and after an idle timeout the address is returned to the NAT pool for reuse. The clients can come from an address anywhere within 10/8 so we can't do a simple octet for octet swap as I've seen some other irule examples. We actually do this currently on our CISCO ASA's e.g. http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_dynamic.htmlwp1078939
basically a client from within subnet 10/8 will get dynamically allocated a 1:1 NAT until they finish using it for x time. so I've written this rule to handle that, as still reasoably new to irules pretty sure it's not the most efficient way, so interested on feedback and/or if other people have tried to acheive similar.
I've use subtables to store a client IP against a 1:1 SNAT address and use the idle timeout of the table as the dynamic SNAT timeout. If there is an existing entry in my client NAT table it uses the returned value as the SNAT address. But If there isn’t an entry in client NAT table for that client, it then loops through my range of external IP addresses to look for a free IP in my NAT reservation table. When it finds free SNAT address it then reserves this for the client and adds an entry to client NAT table. Then SNATs the client as normal, then subsequent client hits will then use the existing entry in the client NAT table.
irule attached