iRule & SNAT

Question

Hi - I was hoping someone may be able to offer some assistance or point me at a URL that will help with some configuration work that is required. 
&nbsp;  
&nbsp; Background - I have a backend server that has multiple IP addresses for SSL certificate purposes. I have added a new virtual server address that points to the backend server, however I am unable to add a SNAT for outgoing traffic to be hidden behind this virtual server address as the real address of the server already exists in the address pool of a different virtual server SNAT.  
&nbsp; A pool is no good as I need a different SNAT for different website communications from the same server. So I'm thinking I need to use an iRule to change the SNAT based on a unique characteristic within the packet, something like the URL. However after a few hours searching the only previous examples I can find all relate to IP addresses. Is it a case of amending something like the below to have URL instead of IP address within the text, and if so is anyone able to offer some syntax assistance. 
&nbsp;  
&nbsp; when CLIENT_ACCEPTED {   if { [IP::addr [IP::local_addr] equals "A.A.A.A"] } { 
&nbsp;       use snat Z.Z.Z.Z 
&nbsp;    } elsif { [IP::addr [IP::local_addr] equals "B.B.B.B"] } { 
&nbsp;       use snat Y.Y.Y.Y 
&nbsp;    } else { use snat X.X.X.X 
&nbsp;  } 
&nbsp;  
&nbsp; Many thanks. 
&nbsp;  
&nbsp; Chris

naladar_65658 · Answer

I am far from being an expert on such things... that being said.  You might try just turning on some logging and then throw some traffic at it.  That way you can see if it is even being executed. 
&nbsp;  
&nbsp; when CLIENT_ACCEPTED { 
&nbsp; log local0. "[IP::local_addr]:[TCP::local_port]: Client Accepted" 
&nbsp; if { [IP::addr [IP::local_addr] equals "A.A.A.A"] } { 
&nbsp; log local0. "[IP::local_addr]:[TCP::local_port]: Using the A.A.A.A SNAT" 
&nbsp; use snat Z.Z.Z.Z 
&nbsp; } elsif { [IP::addr [IP::local_addr] equals "B.B.B.B"] } { 
&nbsp; log local0. "[IP::local_addr]:[TCP::local_port]: Using the B.B.B.B SNAT" 
&nbsp; use snat Y.Y.Y.Y 
&nbsp; } else { 
&nbsp; log local0. "[IP::local_addr]:[TCP::local_port]: Using the Default X.X.X.X SNAT" 
&nbsp; use snat X.X.X.X 
&nbsp; } 
&nbsp;  
&nbsp;  
&nbsp; Also, I do not believe it is possible to use the f5 to modify/change or even read traffic going over SSL when the f5 is not holding the SSL keys.  So if your offloading all the SSL stuff to a different device I believe you are limited in what you can do with that traffic.

chris_16019 · Answer

The SSL is offloaded to the F5, and it's client SSL so is unencrypted on the server side. 
&nbsp; When I try : 
&nbsp; when CLIENT_ACCEPTED {  
&nbsp; I am then unable to use  
&nbsp; if { [HTTP::host] equals "www.test.com" } { 
&nbsp; use snat 10.92.116.77 
&nbsp;  
&nbsp; Any ideas on how this should be phrased so that I can direct requests containing specific URLs to a specific SNAT? 
&nbsp;  
&nbsp; Thanks 
&nbsp;  
&nbsp; Chris

dennypayne · Answer

[HTTP::host] is only valid within an HTTP_REQUEST event.  If your virtual server does not have an http profile attached you will not be able to use any HTTP iRule events.  So you first need to replace CLIENT_ACCEPTED with HTTP_REQUEST and then make sure your vip has an http profile.  Not sure if 'use snat' is correct either, I think it's just 'snat x.x.x.x'.  
&nbsp;   
&nbsp; EDIT: if you're offloading SSL most likely you do have an http profile on the vip already... 
&nbsp;   
&nbsp; Denny

Forum Discussion

iRule & SNAT

3 Replies

Recent Discussions

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Related Content

SNAT statistics and iRule for selecting SNAT IP

SNAT Pool Subent entry

SNAT question

SNAT based on source and destination

"Port lockdown" option for SNAT pool addresses?