Forum Discussion

Fabou_139732's avatar
Fabou_139732
Icon for Nimbostratus rankNimbostratus
Mar 19, 2014

SNAT to multiple addresses and ports

Hi Guys,

 

I have to create SNAT rule to allow some host to access external system, so they are hidden behind nated address.

 

I am planning to use virtual servers (Forwarding IP) for this, and the requirement is as below;

 

SourceIP1 ==> NAT1 to DEST1 & DEST2 on PORT1, PORT2 & PORT3

 

Now I have to configure more of those as bellow

 

SourceIP2 ==> NAT2 to DEST1 & DEST2 on PORT1, PORT2 & PORT3

 

. .

 

SourceIPn ==> NATn to DEST1 & DEST2 on PORT1, PORT2 & PORT3

 

You can see that it's a one to one mapping that goes to the same addresses and same ports, also destination addresses 1 & 2 are not in the same network

 

I there any way I can do this with a reduced number of Virtual Servers? At the moment if I don't want to open all ports to the destinations I will be forced to created 6 entries just for one line so for n lines I will need to create n*6 entries.

 

Is there any way I can achieve this with reduced creation of virtual servers while still maintaining strict rules (only open the ports that are required)?

 

I don't have much experience with F5 but I am willing to try out anything that could help achieve this.

 

Regards,

 

Fabou

 

application delivery
deployment
design
LTM

1 Reply

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Mar 21, 2014

    you could do this with a simple iRule

    when CLIENT_ACCEPTED {
  switch [TCP::local_port] {
    "80" -
    "8080" -
    "443" {
            if { [IP::addr [IP::client_addr] equals 10.10.10.0/24] &&
                 ([IP::addr [IP::local_addr] equals 172.16.31.5] ||
                  [IP::addr [IP::local_addr] equals 172.16.30.5]) } {
                  snat x.x.x.x
            }
          }
  }
}

    as you add more, it would make sense to move the data to a data group and use the class command to extract it. You might format like:

    client_addr := snat_ip,dest_ip1,dest_ip2

    so when you extract it based on client address, you can then get to each of the fields you need with the getfield command.