cancel
Showing results for 
Search instead for 
Did you mean: 

SNAT based on source and destination

Edouard
Cirrus
Cirrus

Greetings,

 

I am working on Forwarding (IP) VS.

 

I have used the next:

 

when CLIENT_ACCEPTED {

if { [class match [IP::client_addr] equals VPN-SUBNET] } {

if {[class match [IP::remote_addr] equals APP1]} {

  snat 10.13.0.25

}

 }

 else {

 forward

 }

}

 

And also this one:

 

when CLIENT_ACCEPTED {

if { [class match [IP::client_addr] equals VPN-SUBNET] and [class match [IP::remote_addr] equals APP1]} {

  snat 10.13.0.25

 }

 else {

 forward

 }

}

 

Both of them do not work, there is no error while building the policy, just the traffic does not get snated to 10.13.0.25.

 

This one works, but snat all the traffic to 10.13.0.25, and I need only for a specific destination:

 

when CLIENT_ACCEPTED {

if { [class match [IP::client_addr] equals VPN-SUBNET] } {

snat 10.13.0.25

 }

 else {

 forward

 }

}

 

Could you advise how SNAT from an specific source and destination ?

 

Thanks,

Edouard.

1 ACCEPTED SOLUTION

Simon_Blakely
F5 Employee
F5 Employee

The problem you have is that in CLIENT_ACCEPTED, IP::client_addr and IP::remote_addr are the same IP address

 

> IP::remote_addr

> Description

> Returns the IP address of the host on the far end of the connection.

> In the clientside context, this is the client IP address.

 

 You can check IP::server_addr, but I'm not entirely sure it will be valid in context.

 

You probably need a specific virtual server for the required destination, and can then apply the SNAT for some specific client IP addresses.

 

View solution in original post

2 REPLIES 2

Simon_Blakely
F5 Employee
F5 Employee

The problem you have is that in CLIENT_ACCEPTED, IP::client_addr and IP::remote_addr are the same IP address

 

> IP::remote_addr

> Description

> Returns the IP address of the host on the far end of the connection.

> In the clientside context, this is the client IP address.

 

 You can check IP::server_addr, but I'm not entirely sure it will be valid in context.

 

You probably need a specific virtual server for the required destination, and can then apply the SNAT for some specific client IP addresses.

 

Edouard
Cirrus
Cirrus

Ok, let me see the option of a specific vs.