Forum Discussion

WUM_113639's avatar
WUM_113639
Icon for Nimbostratus rankNimbostratus
Dec 08, 2014

SNAT PBR Irule

Hi, I am trying to replicate Cisco PBR configuration in F5 LTM using an irule, I have a condition, if Local_Client = 192.168.11.10 is trying to access Remote_Server = 192.168.12.10, I want to translate the source to SNAT_IP = 192.168.12.10.

 

I have to put the irule to a forwarding virtual server that forwards traffic for all the inside clients to outside...and vice versa...I just want to put the conditional SNAT for the Local_Client.

 

when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 192.168.11.10/32] } { if { [IP::addr [IP::remote_addr] equals 192.168.13.10/32 ] } { snat 192.168.12.10 } } }

 

I have tried it but it does not seem to work, need your experts' suggestion.

 

application delivery
availability
cisco
deployment
devops
iRules

3 Replies

Sort By
  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Dec 08, 2014

    I don't think client_accepted will work in this case since you are using a Forwarding(IP) VIP and the first packet will be sent to the destination before the three way handshake is complete. What version are you running? If you are running 11.5+ you can create you forwarding(IP) VIP with source and destination and just apply your SNAT to that VIP.

     

    ">https://devcentral.f5.com/wiki/iRules.CLIENT_ACCEPTED.ashx" target="_blank">">https://devcentral.f5.com/wiki/iRules.CLIENT_ACCEPTED.ashx

     

  • WUM_113639's avatar
    WUM_113639
    Icon for Nimbostratus rankNimbostratus
    Dec 08, 2014

    What does ip any profile does...I want to permit both TCP and UDP from source to destination...but when I select all protocol...this profile (ipother) is getting applied...which according to help says any traffic other than tcp & udp?

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 09, 2014

    it seems in case of fastL4 CLIENT_ACCEPTED is triggered before finishing 3-ways handshake.

    e.g.

    snat 123.123.123.123 is dummy one (invalid). so, 3-ways handshake will never be established. 
     configuration

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual norf
ltm virtual norf {
    destination 172.28.24.10:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        fastL4 { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 7
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED {
  log local0. ""
  if { [IP::addr [IP::client_addr] equals 172.28.24.1/32] } {
    snat 123.123.123.123
  }
}
when SERVER_CONNECTED {
  log local0. ""
}
}

 trace

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:54:12.913262 IP 172.28.24.1.56738 > 172.28.24.10.80: S 3457045251:3457045251(0) win 5840  in slot1/tmm0 lis=
11:54:12.913445 IP 123.123.123.123.56738 > 200.200.200.101.80: S 3457045251:3457045251(0) win 5840  out slot1/tmm0 lis=/Common/norf

 /var/log/ltm

[root@ve11a:Active:In Sync] config  cat /var/log/ltm
Dec  9 11:54:10 ve11a notice tmm1[14890]: 013e0001:5: Tcpdump starting bcast on 127.1.1.3:2 from 127.1.1.1:35239
Dec  9 11:54:10 ve11a notice tmm[14890]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:35239
Dec  9 11:54:12 ve11a info tmm[14890]: Rule /Common/qux :
Dec  9 11:54:18 ve11a notice tmm1[14890]: 013e0002:5: Tcpdump stopping on 127.1.1.3:2 from 127.1.1.1:35239
Dec  9 11:54:18 ve11a notice tmm[14890]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:35239