Forum Discussion

JohnQuintas_910's avatar
JohnQuintas_910
Icon for Nimbostratus rankNimbostratus
Oct 16, 2015

SNAT outbound connections from pool members to virtual server IP for a specific outbound port

I have a virtual server for inbound ftp connections

Virtual server: 1.1.1.1:21, using the standard FTP profile and source_addr persistence, 30 min timeout

Pool Members:

10.0.0.10:21
10.0.0.11:21

I also have a wildcard IP forwarding virtual server to enable full routing on the LTM:

destination: 0.0.0.0
source: 0.0.0.0

How can I SNAT outbound FTP connections from 10.0.0.10 and 10.0.0.11 (originating from the pool members on the stardard ftp control port 21, with ftp-data on port 20) to the virtual server ip: 1.1.1.1, and allow all other outbound connections to pass normally without being SNATTED?

Can this be done via an "Intelligent SNAT" / iRule on the wildcard IP forwarding virtual server?

Any help would be greatly appreciated

application delivery
LTM

16 Replies

Sort By
Show More
  • Andy_McGrath's avatar
    Andy_McGrath
    Icon for Cumulonimbus rankCumulonimbus
    Oct 20, 2015

    No 'Source' value is only the ip subnet only not the port, the following irule will monitor the client port (in this case the FTP server port) and uses 'switch' instead of lots of 'elseif' statements.

    when CLIENT_ACCEPTED {
    if { [TCP::client_port] == 21] || [TCP::client_port] == 22] }{
    switch [IP::addr [IP::client_addr] mask 255.255.255.255]
            "10.0.0.10" { snat 172.18.1.1 } 
            "10.0.0.11" { snat 172.18.1.1 }
            "10.0.0.12" { snat 172.18.1.2 }
            "10.0.0.13" { snat 172.18.1.2 }
            "10.0.0.14" { snat 172.18.1.3 }
            "10.0.0.15" { snat 172.18.1.3 }
    }
}

    Having said that is this for return traffic from FTP server to client?

  • JohnQuintas_910's avatar
    JohnQuintas_910
    Icon for Nimbostratus rankNimbostratus
    Oct 21, 2015

    Can I have multiple IP forwarding virtual servers if I have a wildcard source / wildcard destination / wildcard port in place already?

    (1) IP forwarding virtual server 1 - source: 0.0.0.0, destination: 0.0.0.0, any port (already in place to allow full routing)

    (2) IP forwarding virtual server 2 - source: 10.0.0.0/24, destination: 0.0.0.0, port 21 with the following irRule applied:

    when CLIENT_ACCEPTED {
    if { [TCP::client_port] == 21] }{
    switch [IP::addr [IP::client_addr] mask 255.255.255.255]
            "10.0.0.10" { snat 172.18.1.1 } 
            "10.0.0.11" { snat 172.18.1.1 }
            "10.0.0.12" { snat 172.18.1.2 }
            "10.0.0.13" { snat 172.18.1.2 }
            "10.0.0.14" { snat 172.18.1.3 }
            "10.0.0.15" { snat 172.18.1.3 }
    }
}

    (3) IP forwarding virtual server 3 - source: 10.0.0.0/24, destination: 0.0.0.0, port 22 with the following iRule applied:

    when CLIENT_ACCEPTED {
    if { [TCP::client_port] == 22] }{
    switch [IP::addr [IP::client_addr] mask 255.255.255.255]
            "10.0.0.10" { snat 172.18.1.1 } 
            "10.0.0.11" { snat 172.18.1.1 }
            "10.0.0.12" { snat 172.18.1.2 }
            "10.0.0.13" { snat 172.18.1.2 }
            "10.0.0.14" { snat 172.18.1.3 }
            "10.0.0.15" { snat 172.18.1.3 }
    }
}