Maxim_Taskov_90
Jun 05, 2008Nimbostratus
SNAT Based on Source and Destination
I hope you can help ... thanks.
I am trying to apply conditional SNAT based on source and destination for any service otherwise leave them alone and allow the static NAT to take effect. What I did is ...
NOTE: The client servers normally have static NATs applied.
1. Created Forwarding (IP) VIP available only on the VLAN where the client servers reside with the following configuration:
virtual vsANY-NodeNet
destination any:any
disable
ip forward
rule snat_rule
vlans NodeNet enable
NOTE: NodeNet is the VLAN where the client servers reside.
2. Created an iRule labeled 'snat_rule' as follows:
when CLIENT_ACCEPTED {
if {[matchclass IP::local_addr eq $::the_destination_ip] and [matchclass IP::client_addr eq $::the_source_ip]} {
snat 10.10.1.1
} else {
snat none i tried using 'forward' here too
}
}
2a. I tried this too:
when CLIENT_ACCEPTED {
if {[matchclass IP::local_addr eq $::the_destination_ip]} {
snat 10.10.1.1
} else {
snat none i tried using 'forward' here too
}
}
The result was that all traffic matched the rule and everything started failing, because traffic destined for the internal network is subjected to specific firewall rules, which include source, destination and port as the rule parameters. After this new iRule, the server static NATs are not applied rather all get the 10.10.1.1 SNAT, which obviously is not in any of the firewall rules.
Technically the iRule could be based on matching the destination only but I included the source too as I thought that it will be less invasive/more efficient the more specific it is. Was I correct?
HELP !!!