Configuring PAT rule for just one source port

Is it possible to configure port forwarding only for port 80? And leave all other ports 'untranslated'?

It sure is possible (even without any iRules).

1. You will need one Virtual Server which listens on

   * (any)

   port, and a pool where all members are also listening on

   * (any)

   port. In that case, original destination port number is retained on the server-side. For security purpose, it is recommended that you apply some kind of whitelisting and accept only certain ports that are relevant for the use of application. Whether you do the whitelisting inside BigIP, or in another device does not matter much

2. For your port translation from 80 to 8000, you have two options. Either use an iRule on the same wildcard VS for conditional port-address translation; or go for a second option which I consider to be much better - a second VS which listens on the same IP, but on port 80 (pool members on port 8000).

BigIP will give request to a VS which is a closer-match. This will ensure the incoming TCP/80 requests are not processed by the wildcard VS, instead, they are processed by the closer-match VS which listens on port TCP/80.

If the number of relevant port numbers you want to accept is less than 10, I would advise you to just create all the relevant Virtual Servers, one VS per client-side port you want to accept. It's a one-time effort that will pay off. That way you will not have to worry about managing L4 whitelist.

Regards,