iRule to SNAT Server

Question

I am very inexperienced in writing iRules.  
&nbsp;Background: there are virtual severs that serve our web servers and virtual servers that serve our database server.  The Web and DB servers are on different VLANs and the layer-3 switch will be in between the servers and the LTM.  
&nbsp;The web servers connect to the Database servers via the virtual servers on the inside interface of the LTM.  I know that a SNAT is needed to prevent bounce back issues.  The problem is that I would like to be able to provide statistics and troubleshoot issues and know which web server/s are talking to the Data base server/s and a many to one SNAT would prevent this.  &nbsp;
&nbsp;Idea solution: create an iRule such that any connections from the web VLAN gets SNAT'ed to a particular IP Address for each host from the web VLAN defined in a pool, when connecting to a DB virtual server.  Essentially automatically making a one to one SNAT without having to define on every time a new web host is brought on line.&nbsp;
&nbsp;If this is confusing sorry, I am a little confused myself.

hooleylist · Answer

If you have a spare IP address per client you will be SNAT'ing, you could create a datagroup (type: string) with the client IP and SNAT IP.  When a client request is received, you could search the class using findclass and look up the corresponding IP you want to SNAT with.  You can then use the snat command to apply it.
citizen_elah added a good example using a similar scenario a while back (Click here).
You could adapt that like this using a class with the client IP first, followed by the IP you want to translate it to:
class snat_map {
  "1.1.1.1 1.1.2.1"
  "1.1.1.2 1.1.2.2"
  "1.1.1.3 1.1.2.3"
  "........ ......"
}
And then a rule which performs the SNATing:
when CLIENT_ACCEPTED {
   set snat_ip [findclass [IP::client_addr] $::snat_map " "]
   if { $snat_ip ne "" } {
      snat $snat_ip
   } else {
       client IP wasn't found in the class, so use a default SNAT address
      snat 2.2.2.2
   }
}
Aaron

clowe_16759 · Answer

Quick question it appears to me that the configuration above is for a static mapping between a source address and a SNAT address.  Is this done dynamically, or does the  class map need to defined on a one to one basis.  Just trying to avoid having to many working parts to the SNAT set up.

hooleylist · Answer

I'm not sure I understand your question completely.&nbsp;
&nbsp;For the example I gave, you would need to designate one IP address per client that you want to perform source address translation to.  You would create the datagroup to map the client IP to its designated translation IP.  Once you add the rule to the DB VIP, the translation would be done for those specific client IP addresses to their corresponding SNAT addresses.&nbsp;
&nbsp;Does this answer your question?  If not, can you clarify?&nbsp;
&nbsp;Thanks,
&nbsp;Aaron

Forum Discussion

iRule to SNAT Server

3 Replies

Recent Discussions

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

iRule based RADIUS Server Stack

SNAT IP address logging

How to get Virtual servers associated with a specific SNAT pool

LTM Diameter iRules and Profile Configurations with Support for Server Initiated Request

F5 virtual server not using static route when SNAT is set to none.