Forum Discussion

Kevin_Pruett_73's avatar
Kevin_Pruett_73
Icon for Nimbostratus rankNimbostratus
May 24, 2012

Outbound SNAT iRule defined by destination

Looking for assistance with a 9.4.6 iRule. I have written some very simple iRules, but I am not sure where to go with this one. Below are two iterations of iRules I attempted. The designed purpose is to NAT to the 172.16 address from all hosts on a specific VLAN to the internet, but not NAT to the 192.168 addresses. I created a forwarding virtual server (IP) for 0.0.0.0 and applied the iRule to it. When trying to access the internet this iteration did not translate the address.

 

 

IP addresses have been changed to protect the innocent :)

 

 

 

when CLIENT_ACCEPTED {

 

log local0. "in CLIENT_ACCEPTED"

 

if {[IP::addr [IP::remote_addr] equals 192.168.0.0/24]}{

 

snat none

 

} elseif {[IP::addr [IP::remote_addr] equals 192.168.1.0/24]}{

 

snat none

 

} elseif {[IP::addr [IP::remote_addr] equals 192.168.2.0/24]}{

 

snat none

 

} elseif {[IP::addr [IP::remote_addr] equals 192.168.3.0/24]}{

 

snat none

 

} elseif {[IP::addr [IP::remote_addr] equals 192.168.4.0/24]}{

 

snat none

 

} else {

 

snat 172.16.3.5

 

}

 

}

 

 

when CLIENT_ACCEPTED {

 

log local0. "in CLIENT_ACCEPTED"

 

if {[IP::addr [IP::remote_addr] equals 192.168.0.0/24]}{

 

snat none

 

} elseif {[IP::addr [IP::remote_addr] equals 192.168.1.0/24]}{

 

snat none

 

} elseif {[IP::addr [IP::remote_addr] equals 192.168.2.0/24]}{

 

snat none

 

} elseif {[IP::addr [IP::remote_addr] equals 192.168.3.0/24]}{

 

snat none

 

} elseif {[IP::addr [IP::remote_addr] equals 192.168.4.0/24]}{

 

snat none

 

} else {

 

snat 172.16.3.5

 

}

 

}

 

when CLIENT_ACCEPTED {

 

log local0. "in CLIENT_ACCEPTED"

 

if {[IP::addr [IP::remote_addr] equals 192.168.0.0/24]}{

 

snat none

 

} elseif {[IP::addr [IP::remote_addr] equals 192.168.1.0/24]}{

 

snat none

 

} elseif {[IP::addr [IP::remote_addr] equals 192.168.2.0/24]}{

 

snat none

 

} elseif {[IP::addr [IP::remote_addr] equals 192.168.3.0/24]}{

 

snat none

 

} elseif {[IP::addr [IP::remote_addr] equals 192.168.4.0/24]}{

 

snat none

 

} else {

 

snat 172.16.3.5

 

}

 

}

 

I later made this attempt:

 

 

when CLIENT_ACCEPTED {

 

log local0. "in CLIENT_ACCEPTED"

 

if {[ matchclass [IP::remote_addr] equals 192.168.0.0/24]}{

 

snat none

 

} elseif {[ matchclass [IP::remote_addr] equals 192.168.1.0/24]}{

 

snat none

 

} elseif {[ matchclass [IP::remote_addr] equals 192.168.2.0/24]}{

 

snat none

 

} elseif {[ matchclass [IP::remote_addr] equals 192.168.3.0/24]}{

 

snat none

 

} elseif {[ matchclass [IP::remote_addr] equals 192.168.4.0/24]}{

 

snat none

 

} else {

 

snat 172.16.3.5

 

}

 

}

 

 

After this attempt, I no longer saw drops on the external firewall from the native non-routeable address, but I also did not see traffic being NATTED. When I looked at the iRule statistics all attempts showed as failed.

 

 

Any help I can get on this from those more knowledgable than me is greatly appreciated.

 

 

 

 

 

 

 

application delivery
dev
devops
iRules

3 Replies

Sort By
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    May 24, 2012
    Kevin

     

     

    This is how I'd do it (untested though).

     

     

    Firstly, create a datagroup for all non SNAT IPs e.g. no_SNAT and all the address ranges

     

     

    Then use this iRule:

     

     

    when CLIENT_ACCEPTED {

     

     

    Check if the remote address is part of the no_SNAT data group

     

    if { [matchclass [IP::remote_addr] equals $::no_SNAT]} {

     

     

    snat none

     

     

    } else {

     

     

    snat behind this address

     

     

    snat 172.16.3.5

     

     

    }

     

    }

     

    }

     

     

    Hope this helps

     

    N