Forum Discussion

Marcus_10406's avatar
Marcus_10406
Icon for Nimbostratus rankNimbostratus
Aug 09, 2016

conversion of CSS SNAT to F5 LTM

Hi Guys,

 

I have a question about how to convert the ACL based SNAT from CSS to LTM:

 

For example I have following ACL based SNAT configured on CSS:

 

group app_vip vip address 168.108.161.147 active acl 99 clause 10 permit any 168.108.164.0 255.255.255.0 destination 168.108.161.0

 

255.255.255.0 sourcegroup app_vip

 

this would tell the CSS to SNAT any traffic from source subnet 168.108.164.0/24 to destination subnet 168.108.161.0/24 to be IP address 168.108.161.147. and this IP address is on the VIP VLAN.

 

is there anyway I can do the same thing on LTM if the pool members are not using LTM as default gateway? I can do a irule with when_connect function to do the SNAT, however how can I fix the asymmetric routing issue? the return traffic from pool members are always passed to .1 and the TCP connection breaks.

 

sincerely Thanks

 

2 Replies

  • You should be able to achieve it with iRule, as long as the pool members know how to get to the SNAT IP.

    An untested example:

    when CLIENT_ACCEPTED {
    if { ([IP::addr [IP::client_addr] equals 168.108.164.0/24]) and ([IP::addr [IP::server_addr] equals 168.108.161.0/24]) } {
    snat 168.108.161.147
    }
    }
    
  • so are you saying the snat address is 168.108.161.147, the default gateway for the server 168.108.161.1 and the server is a system in 168.108.161.x, all configured with a /24 mask?

     

    then it should work fine, because it is in the same subnet the server will directly respond to .147

     

    if doesn't "seem" to work you should look into the traffic with tcpdump to determine how it flows and what exactly fails.