Forum Discussion

Drew_Berendts_2's avatar
Drew_Berendts_2
Icon for Altostratus rankAltostratus
Oct 17, 2005

Outbound SNAT w/ IRules

I am new to IRules so please pardon any obviously ignorant part of the inquery. I know that IRules can be used on inbound connections coming into a virtual server. What I would like to do do, however, is to write an IRule to do a unique outbound SNAT (where servers behind the F5 are the client initiating a conneciton to some server beyond the F5), where the SNAT would be set to different IPs depending on the destination address of the outbound call. For example:

 

 

If the client outbound connection is destined for IP A.A.A.A, then SNAT the outbound connection to Z.Z.Z.Z. If the oubound client connection is destined to IP B.B.B.B, then SNAT the outbound connectiont to Y.Y.Y.Y. If destination is anything else, SNAT to X.X.X.X.

 

 

I unfortunately cannot achieve the above scenario by simply using multiple SNAT statements as I have a single pool of hosts making outboud calls to numerous destinations. In a few cases, these outbound calls must be SNATted to a unique IP address when the outbound call is sent. Hence, my looking to add the notion of "destination policy based SNATs" to the logic of the SNATs via IRules.

 

 

I am not sure if the above can be achieved as IRules are not an option w/in the SNAT web GUI under BigIP 9.1. If the above is possible, what event would trigger such an action? Client_Accepted or LB_Selected appear to be possible trigger candidates, but they do not seem to fit the criteria I am trying to achieve when I closely look @ the given explanation of each trigger.

 

 

Thank you for any feedback on the above question.

 

 

Respectfully,

 

 

Drew Berendts
application delivery
dev
devops
iRules

1 Reply

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Oct 18, 2005
    Yes, this is possible. You can also forward outbound traffic based on a particular source, I use this for return traffic in a firewall matrix. In your case, your servers are the clients, so this rule should work for you.

    
when CLIENT_ACCEPTED {
   if { [IP::addr [IP::local_addr] equals "A.A.A.A"] } {
      use snat Z.Z.Z.Z
   } elsif { [IP::addr [IP::local_addr] equals "B.B.B.B"] } {
      use snat Y.Y.Y.Y
   } else { use snat X.X.X.X }
}

    Note that you can use a mask if it is a network destination, like this:

    "A.A.A.A/24"