branfarm_139474
May 01, 2014Nimbostratus
SNAT and NAT on difference vlans
Hi,
I have a few questions about SNATs and NAT's and trying to get traffic to either SNAT or NAT based on the destination. Here's the diagram:
I want traffic from 10.8.4.26 destined to 10.8.8.0/24 to use a SNAT of 10.8.8.22. I want traffic from 10.8.4.26 destined to 10.8.6.0/24 to use a NAT of 10.8.6.26. I also want traffic from 10.8.6.0/24 to be able to reach 10.8.4.26 on TCP/5600.
Here's what I've tested:
- Configured NAT for 10.8.4.26 <> 10.8.6.26, enabled on Pubdmz vlan only. a. Ping works from internal (10.8.4.26) to pubdmz (10.8.6.104). NAT is correctly applied. b. Inbound connection from 10.8.6.104 to 10.8.6.26:5600 works c. Ping fails from 10.8.4.26 to 10.8.8.78 (external). 10.8.8.78 sees traffic from 10.8.6.26 NAT address. This would be expected at this point since no other configuration has been applied.
- Tried configuring second NAT for 10.8.4.26 <> 10.8.8.26 enabled on external only a. Configuration failed with error "Requested origin address already exists.
- Since I couldn't create second NAT, I deleted first NAT and tried VS with iRule.
- Created new irule data group called 'external_network' and added 10.8.8.0/24 as a record.
- Created new virtual server: a. Name: vs-internal-networks b. Source: 10.0.0.0/8 c. Destination: 0.0.0.0/0.0.0.0 d. Enabled on Internal e. All protocols
-
Created new iRule called 'check_destination_snat' with following code:
when CLIENT_ACCEPTED { if {[class match [IP::local_addr] equals external_network] } { snat 10.8.8.22 } }
- Tried to ping 10.8.8.78 from 10.8.4.26. tcpdump on destination host shows that traffic is being SNAT'd, but when server attempts to ARP for SNAT address, nothing answers, so no response is ever sent.
- Added SNAT list called 'external-10.8.8.22, enabled on external interface. Tested ping again and this time was successful.
- Tried pinging pubdmz network again, but this failed due to lack of NAT. (Destination host saw traffic from original IP address)
- Added NAT back for 10.8.4.26 <> 10.8.6.26 enabled on Pubdmz only. Tried pinging without success -- destination host still saw traffic from original IP. Ping to 10.8.8.78 still works, and SNAT is correctly applied.
This setup leads me to a few questions:
- We know that the LTM will evaluate objects in the order of VS > SNAT > NAT before routing. Is there a way to tell an irule to stop processing and then have the traffic move to the next item in the list? In this case, I'd want the VS to check if it can apply a SNAT, and if not, move on to check the NAT list.
- From step 2, does that error mean that an origin address can only appear in one NAT rule system-wide?