Forum Discussion

Joe_41441's avatar
Joe_41441
Icon for Nimbostratus rankNimbostratus
May 07, 2010

Creating Intelligent SNAT

Hello Group,

 

 

I have a question about setting up Intelligent SNAT. My intention is to use an iRule to dictate which public IP is used for a particular server's access to a whitelisted resource. It reads as a very simple procedure from this guide: https://support.f5.com/kb/en-us/pro...wp1192236

 

 

What I've done: 1. I have removed the node in question from a standard SNAT.

 

 

2. I have written an iRule with the snat command: when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals a.b.c.d] } { snat w.x.y.z } }

 

 

3. F5 documentation says "From the Resources screen for the appropriate virtual server, assign the iRule as a resource to the virtual server".

 

 

Simple enough I know how to do that on inbound virtual servers. How do I setup a virtual server for outbound traffic? I assume this is different from a Virtual Server for inbound traffic. I have tried creating a virtual server with the IP address of the internal server (a.b.c.d), and applying the iRule from step 2 on it. I can see in the statistics for my iRule that Total Executions increment, but server a.b.c.d does not have internet access.
config
design

2 Replies

Sort By
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    May 07, 2010
    There's no difference between a VS for inbound and outbound (Conceptually). The address of the VS is the DESTINATION of the traffic (You've created a VS with the SOURCE IP as the VS address. Just the wrong way round is all).

     

     

    So for an outbound VS to anywhere simply create a network VS with the address/mask of 0.0.0.0/0.0.0.0 and whatever port the traffic is on.

     

     

    H
  • Joe_41441's avatar
    Joe_41441
    Icon for Nimbostratus rankNimbostratus
    May 10, 2010
    Hamish,

     

     

    That was exactly what I needed. I knew it was something simple... thanks for your quick response!

     

     

    -Joe