Is this correct?

Hi Meena,

You can use the IP::addr command to compare a single IP or network to another IP or network. Also, you should use local variables instead of global ones for this as they'll change with each connection.

when LB_SELECTED {
    Check the CAS server and do SNAT
   log local0. "LB server addr is [LB::server addr]"
   if { [IP::addr [LB::server addr] equals 10.60.252.6] } {
     snat 10.60.253.246
     set cas_selected "10.60.252.6"
     log local0. "selected CAS is $cas_selected"
     forward
   } elseif { [IP::addr [LB::server addr] equals 10.60.252.7] } {
     snat 10.60.253.247
     set cas_selected "10.60.252.7"
     log local0. "selected CAS is $cas_selected"
     forward
   } elseif { [IP::addr [LB::server addr] equals 10.60.252.8] } {
     snat 10.60.253.248
     set cas_selected "10.60.252.8"
     log local0. "selected CAS is $cas_selected"
     forward
   }
}

Aaron

Thanks Aaron.

 

 

Now I do not get the error on the log but I do have one question. I need to use the cas_selected variable in another irule which gets hit when the traffic comes out of the cas servers on the trusted side which I do have a wildcard forwarding VS that is enabled on the trusted side (vlan) of the CAS server. I need to make sure that when a response comes back from other servers, I need to force the traffic through the same cas server that was selected on the untrusted side. When I use a local variable, I get the following

 

 

Jun 28 16:47:25 tmm1 tmm1[2268]: 01220001:3: TCL error: snat_cas_untrusted_addr - can't read "cas_selected": no such variable while executing "log local0. "selected CAS-second is $cas_selected""

 

 

for this irule

 

 

when LB_SELECTED {

 

log local0. "selected CAS-second is $cas_selected"

 

if { $cas_selected equals "10.60.252.6" } {

 

snat 10.60.253.254

 

forward

 

} elseif { $cas_selected equals "10.60.252.7" } {

 

snat 10.60.253.253

 

forward

 

} elseif { $cas_selected equals "10.60.252.8" } {

 

snat 10.60.253.252

 

forward

 

}

 

}

 

 

I tried to make it a global variable and that gives me the same error as well.

 

 

Meena

 

 

 

 

This is what I am trying to accomplish and I need some help.

 

 

 

----------

 

| Client |

 

----------

 

|

 

|

 

----------

 

| BigIP |

 

----------

 

|

 

| <---- untrusted side of the CAS servers; VS created with IP 10.60.98.11, VLAN 351

 

----------------------

 

| Cas1, cas2 or cas3 |

 

| |

 

----------------------

 

|

 

| <---- trusted side of the CAS servers; VLAN 5

 

---------

 

| BigIP |

 

---------

 

|

 

|

 

--------------

 

| DNS or LDAP | <----- The response should go back to the trusted side of ths CAS servers

 

---------------

 

 

 

Traffic originates from the client subnet 10.60.250.x/24 and destined for DNS or LDAP.

 

Policy based routing forces the traffic to untrusted side of the CAS VS 10.60.98.11

 

Since the destination is not the VS, the traffic hits the wild card VS on the LTM. The irule checks for client IP range and forces the traffic to the untrusted CAS pool

 

 

The following irule is applied to the wildcard VS of 0.0.0.0/0.0.0.0

 

 

when CLIENT_ACCEPTED {

 

log local0. "client IP is [IP::client_addr]"

 

apply this rule to the wildcard VS since the destination is LDAP or DNS.and it is going to hit the wildcard VS

 

if { [IP::addr [IP::client_addr]/24 equals 10.60.250.0] } {

 

pool cas_untrusted_https_pool

 

persist source_addr 3600

 

}

 

}

 

 

Based on the selected CAS, SNAT the client IP.so that we will know which CAS was selected and also set the cas_selected variable.

 

 

when LB_SELECTED {

 

Check the CAS server and do SNAT

 

log local0. "LB server addr is [LB::server addr]"

 

if { [IP::addr [LB::server addr] equals 10.60.252.6] } {

 

snat 10.60.253.246

 

set ::cas_selected "10.60.252.6"

 

log local0. "selected CAS is $::cas_selected"

 

forward

 

} elseif { [IP::addr [LB::server addr] equals 10.60.252.7] } {

 

snat 10.60.253.247

 

set ::cas_selected "10.60.252.7"

 

log local0. "selected CAS is $::cas_selected"

 

forward

 

} elseif { [IP::addr [LB::server addr] equals 10.60.252.8] } {

 

snat 10.60.253.248

 

set ::cas_selected "10.60.252.8"

 

log local0. "selected CAS is $::cas_selected"

 

forward

 

}

 

}

 

 

The traffic gets automatically routed to the trusted side of the cas server The default gateway for the CAS servers is the self-IP on vlan 5.

 

 

This traffic hits the forwarding server that is enabled only on vlan 5. In this case, I expect the source IP as the SNAT IP as above but it is not happening. If the SNAT in the above irule works correctly, the following irule should have worked.

 

 

I tried SNAT automap first so that the return traffic from the DNS and LDAP server would comes back to the trusted side of the CAS but it blocks administrative traffic like SSH and https.

 

 

So, I created another irule which is

 

 

when CLIENT_ACCEPTED { <------------------ I do not know what event I need to check since this is the outbound traffic from

 

log local0. "selected CAS-second is $::cas_selected" the CAS servers and all I am trying to do is force the return traffic

 

if { $::cas_selected equals "10.60.252.6" } { to come back to the same CAS server on the trusted side so that

 

snat 10.60.253.254 it can't be SNATed back and sent to the client.

 

forward

 

} elseif { $::cas_selected equals "10.60.252.7" } {

 

snat 10.60.253.253

 

forward

 

} elseif { $::cas_selected equals "10.60.252.8" } {

 

snat 10.60.253.252

 

forward

 

}

 

}

 

 

I pictured it several times and it seems like it should work but still I am missing something, Any help would be appreciated.

 

I found a solution that works. I am not sure why I complicated it so much. The solution is rather very simple and easy to implement.

 

 

Implemented policy based routing for the return traffic to force it through the VS on the trusted side and persisted based on the destination address. Persisting based on source on the untrusted side and destination on the trusted side sticks to the same CAS. So, there is no need to do SNAT.

 

 

Meena