Intelligent SNAT help

Meena -

 

 

You can apply a SNAT to a particular virtual server. Create a SNAT pool with only a single address in it, then apply it to your VIP (open up the advanced configuration tab, then scroll down to the bottom - your new pool should be under 'snat pool').

 

 

You can do conditional SNATing within an iRule, but it doesn't sound like that's what's required here unless I'm missing something in your description.

 

 

JQ

But the requirement is to have a single address (same as the Virtual address for the incoming load balanced traffic) for both servers. If I restrict the SNAT for port 80 only, traffic like ICMP and RDP would go directly without getting NATed? Is that correct?

Please ignore my previous reply. I reconfigured the SNAT pool with a single IP address which is the same as the virtual address and apllied it to the virtual server and it worked.

 

 

Thank you very much for your help.

 

 

Meena

I tested the outbound web access from these 2 servers and they are not being NATed to x.x.31.69. It only NATs the load balanced traffic and not any outbound traffic.

 

 

I have to SNAT the port 80/443 traffic from these 2 servers to a single IP of x.x.31.69.

 

 

Do I need an iRule for that?

 

 

Meena

Hi Meena,

 

 

That's expected. If you've configured a SNAT pool on the VIP, it would only affect the traffic through the VIP. If you want to apply it to traffic originating from the specific hosts, you could add the SNAT pool to a forwarding VIP or create a default SNAT which references the SNAT pool.

 

 

Aaron

I did create a default SNAT which referenced the SNAT pool but the RDP connections to the server stops working and also when I ping the server IP address the replies come from SNAt address of x.x.31.69 which breaks lot of things.

 

 

Meena

Sorry for any confusion. If you only want to perform SNAT translation for connections to a specific destination port, you'd actually need to configure a VIP. You can't restrict a default SNAT to a single port.

The VIP would be 0.0.0.0:80 / 0.0.0.0. You could then add the SNAT pool to the VIP. If you have a pool of default gateways, you could configure them in a pool and attach it to the VIP. Else, you could create a Forwarding (IP) VIP. Create a datagroup of type address and add the client IP addresses you want to perform source address translation for. You can then use an iRule which either disables SNAT for any client not in the datagroup or if you don't want to allow arbitrary clients to use this VIP for outbound port 80 traffic, you could either drop or reject those clients.

The rule might look like this:

 
 when CLIENT_ACCEPTED { 
  
     Check if client is not part of the allowed clients datagroup 
    if {not [matchclass [IP::client_addr] equals allowed_clients_dg]}{ 
  
        Drop the request 
       drop 
  
        Allow the request, but disable SNAT 
       snat none 
    } 
 } 
 

The default action would be to apply the SNAT pool as configured on the VIP and either forward the request or send it to the gateway pool.

Aaron

Hi

 

 

It took a while for me to figure out that I wanted to create a forwarding VS.

 

 

I aleady have a 0.0.0.0/0.0.0.0 for all ports as a forwarding wild card VS.

 

 

So, I decided to add a second forwarding VS for x.25.40.0/24 for port 443 traffic. I applied the SNAT pool which translates the address to y.y.31.75

 

 

The idea is when the servers with IP 10.22.0.31 and 10.22.0.32 originate https traffic to x.23.40.0/24 network, I want the server address to be NATed to y.y.31.75.

 

 

I think I created the VS and the SNAT pool correctly. I tested this by going to https://x.25.40.7 from 10.22.0.31 and all I get is a Reset from LTM.

 

 

What am I missing?

 

 

Meena

Hi Meena,

 

 

Sorry, I tried to point out you could either use a pool of gateway servers or use a forwarding IP VIP.

 

 

Do you see a serverside connection from LTM to the destination IP? Is there routing in place for TMM to the destination host? Can you add logging to the iRule to see if the CLIENT_ACCEPTED event is triggered on this VIP?

 

 

Thanks,

 

Aaron

I changed the default gateway of the servers to be the LTM.

 

 

Tcpdump shows traffic (SYN) from the server hitting the LTM on the vlan interface with the self IP of 10.22.0.5. I see a RST from LTM back to the server.

 

 

I do not see any traffic hitting the external interface of the LTM.

 

 

When I think about it, this forwarding VS do not have any pool associated with it. All the VS has is the SNAT pool.

 

 

Meena