Forum Discussion
hooleylist
Jun 11, 2008Cirrostratus
You can disable SNAT for specific source addresses and/or specific destination addresses, using 'snat none' (Click here) in an iRule. For individual addresses or networks, you can use the IP::addr command to performm the evaluation (Click here). If there are multiple hosts/networks you want to not SNAT for, you can add them to a datagroup of type 'address' and then use the matchclass command (Click here).
Here are a couple of examples:
when CLIENT_CONNECTED {
Check if the source IP address is part of the 10.0.0.0/255.0.0.0 network
if {[IP::addr [IP::client_addr]/8 equals 10.0.0.0]}{
Disable SNAT for this connection
snat none
}
}
when CLIENT_CONNECTED {
Check if the source IP address is part of the 10.1.0.0/255.255.0.0 network
and the destination address is part of the 10.2.0.0/255.255.0.0 network
if {[IP::addr [IP::client_addr]/16 equals 10.1.0.0] && [IP::addr [IP::local_addr]/8 equals 10.2.0.0]}{
Disable SNAT for this connection
snat none
}
}
class no_snat_source_networks {
network 10.1.0.0 netmask 255.255.0.0
network 192.168.0.0 mask 255.255.0.0
host 10.2.1.1
}
when CLIENT_CONNECTED {
Check if the source IP address is part of the no_snat_source_networks datagroup
if {[matchclass [IP::client_addr] equals $::no_snat_source_networks]}{
Disable SNAT for this connection
snat none
}
}
Aaron