Forum Discussion

Adam_3360's avatar
Adam_3360
Icon for Nimbostratus rankNimbostratus
Dec 10, 2010

SNAT iRule based on outbound destination address

Hi All

 

 

Don't know if this is the correct way to do it, but I am trying to configure Outbound SNAT based on the destination address.

 

 

The scenario is that I have an internal server with an IP address of (for example) 192.168.1.100. This server needs to initiate outbound communication to certain internet based systems but use a different SNAT address for each.

 

 

So if I wanted to communicate out to 172.16.10.10 on the Internet (for example), I want the outbound SNAT set as 10.10.10.10 (again for example). If I wanted to communicate out to 172.16.20.20, the SNAT must be different at 10.10.20.20.

 

 

I have been reading about intelligent SNAT and iRule rules but was wondering whether this is the correct way, and if so whether anyone could suggest some example iRules?

 

 

Thanks

 

 

application delivery
dev
devops
iRules

4 Replies

Sort By
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Dec 10, 2010
    Do you want the SNAT to be based both on the source and destination address? If you create an iRule that SNATs traffic destined to 172.16.10.10, it'll SNAT it all, unless you say it should meet both the source (192.168.1.100) and destination (172.16.10.10).
  • Adam_3360's avatar
    Adam_3360
    Icon for Nimbostratus rankNimbostratus
    Dec 10, 2010
    Hi Chris

     

     

    Thanks for the reply. My ultimate aim is to have a group of (say) 5 servers with the inbound traffic covered by the configuration of the Virtual servers. This group of servers will need to initiate traffic outbound but use different NATs for each destination

     

     

    So for arguments sake: if I wanted to send traffic outbound from this goup of servers to Google IP addresses, use NAT address 1. If I wanted the same group of servers to send outbound traffic to F5 IP addresses, use NAT address 2.

     

     

    Hope that makes sense?
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Dec 10, 2010
    Yep, that makes sense. You'll simply need to do a rule that switches based on destination address. I need to look into what form of IP::addr to use here though. 

    
when CLIENT_ACCEPTED { 
  switch -glob [IP::local_addr] { 
    "1.1.1.1" { snat x.x.x.x }
    "2.2.2.2" { snat y.y.y.y } 
}}

    Something like that would work as long as I have the right form of IP::addr.
  • Adam_3360's avatar
    Adam_3360
    Icon for Nimbostratus rankNimbostratus
    Dec 10, 2010
    Hi Chris

     

     

    Thanks for the reply again. Sounds like it is something like that which I need to get configured but (as a newbie to this) please can you go through the config for me?

     

     

    So to start:

     

     

    * I have a node object configured for my servers

     

    * I have a pool configured which have my servers as members

     

    * I have multiple virtual servers configured with my inbound internet facing IP addresses and required ports configured per virtual server

     

     

    Inbound access works ok, the Virtual Servers translate inbound connections as required so no problem there. As far as outbound is concerned, I have previously used SNAT Lists as the servers default gateway is the F5s which means I don't have to use Auto Map on the Virtual Servers (which is set to none so that the logfiles on the servers keep the source IP addresses intact for inbound traffic rather than logging the F5 IP address all the time).

     

     

    I am unclear how to configure the Outbound iRule, whether separate Virtual Servers are required for the Outbound traffic, and also I have read about Data Groups which i am again unsure of.

     

     

    If you could help with this I would certainly be appreciated

     

     

    Thanks