Forum Discussion

Jliz_44390's avatar
Jliz_44390
Icon for Nimbostratus rankNimbostratus
Jul 27, 2007

Matching Source and Destination for NAT

I've let this simple problem drive me nuts now for a day and half and I've yet to find the solution.

 

 

I'm trying to NAT when a request is made from a server behind the LB to a VIP on the same LB. All other traffic except this specific source to destination network I want to leave unchanged.

 

I have real servers on 10.100.104.x/24 and the VIPs are on 10.100.100.x/24.

 

 

I figured this iRule thing can't be to difficult so I started reading up. I think I'm close so if someone could shed some light at where I screwed up that would be great.

 

 

Here is what I have so far.

 

 

when LB_SELECTED {

 

if {[IP::addr [IP::client_addr]/24 equals 10.100.104.0] } { [IP::server_addr]/24 equals 10.100.100.0]}

 

snat automap

 

}

 

 

Thanks in advance for the help.

 

 

-John
application delivery
dev
devops
iRules

4 Replies

Sort By
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Jul 27, 2007
    You can set up a selective SNAT instead of using an iRule.

     

     

    Enable SNAT AutoMap on at least one floating self-IP address on the egress VLAN.

     

     

    Then create a new SNAT, with the following settings:

     

    -Translation: Automap

     

    -Origin: Address List

     

    --Type: Network

     

    --Address: 10.100.104.0

     

    --Mask: 255.255.255.0

     

    -Enabled on: At least the egress VLAN

     

     

    And finally, if the traffic will traverse a pool, ensure that "Allow SNAT" is still enabled on that pool. (Enabled by default)

     

     

    That will translate all connections originating from the address list to the automap address, and all other connections will go un-SNAT'd.

     

     

    /deb
  • Esa_Kuusisto_27's avatar
    Esa_Kuusisto_27
    Icon for Nimbostratus rankNimbostratus
    Jul 31, 2007
    Hi

     

     

    I have same kind of problem. I have two private networks in different vlans, example 10.10.10.0/24 and 10.10.11.0/24. I have in both networks. In network 10.10.10.0/24 are server what I want allow Internet access (third vlan, public). If I make SNAT rule like up connection between VLANs work, but no Internet connection. If I enable SNAT in vlans 10.10.10.0/24 and publicIPaddressVLAN servers can go to Internet but cannot made connections between private networks. Or connections started from 10.10.11.0/24 vlan to 10.10.10.0/24 vlan works but not other way.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jul 31, 2007
    You could pass traffic through the BIG-IP more programmatically by creating a forwarding IP virtual server with a fastL4 profile. You can then conditionally forward requests based on source IP or network and/or destination IP or network.

     

     

    Here's an example: Click here

     

     

    If that's overkill for your requirements, you could trim out the classes and just forward based on IP or network using the IP::addr command (Click here).

     

     

    Also, you can apply source address translation to a specific connection with the snat command (http://devcentral.f5.com/wiki/default.aspx/iRules/snat.html).

     

     

    Aaron
  • Esa_Kuusisto_27's avatar
    Esa_Kuusisto_27
    Icon for Nimbostratus rankNimbostratus
    Aug 01, 2007

    Hi

    Thanks for the help. With examples I made a simple iRule:

    
when CLIENT_ACCEPTED {
  if { ( [matchclass [IP::client_addr] equals $::NattedNetwork] )
and  [matchclass [IP::remote_addr] equals $:rivateNetwork]}{
  forward
    
} elseif { [matchclass [IP::client_addr] equals $::NattedNetwork] }{
snat automap
} else {
forward
}
}

    Class NattedNetwork is network where I do not want to use SNAT and class PrivateNetwork is network where I want to NAT in certain cases.

    -Esa

    PS. I know, last else with forward is not needed