SNAT by Destination IP

Question

I want to mask a network behind an SNAT IP address based on the following criteria: either the leaving interface (WAN) or the desitination IP. Is there a way to solve that by configuration utility? Or do I need to write an intelligant SNAT iRule? Any suggestions? Currently I have 3 Interfaces. The customer interface (network) should be able to send traffic to the internet, by passing the f5 external Interface with an SNAT. But the customer network is also able to communicate to other RFC1918 networks via f5 internal interface. Unfortunatelly when I configure an SNAT, the customers network IP is always translated, even if the traffic is send through internal interface. This leads into routing errors. Can somebody help?

what_lies_bene1 · Answer

You'll need an iRule I'd say and a Virtual Server to run it through. The VS will only need to be enabled on the customer network. Apply the SNAT to the VS and also an iRule that simply checks the destination IP (you can check for an egress interface) and if it matches one of the internal networks (perhaps listed in a data group) simply disable the SNAT. If you need help with any of that, let me know.

kim_kipp_49723 · Answer

I already have a wildcard virtual server connected to all interfaces. So I can append the iRule to that virtual server. Well I'm not that familar with iRule, just at the beginning. So it would be very helpful if you can post some syntax.&nbsp;
Network 192.168.10.16/28 should be natted to x.x.x.x if it is going out on interface "TestWAN". If it is going out on interface TestLAN it should not be natted. The network 192.168.10/16 is not a direct attached network to F5!&nbsp;

what_lies_bene1 · Answer

Just putting something together now. As I said it can't be done based on egress interface, only destination IP/subnet. Is there more than one?

what_lies_bene1 · Answer

So, assuming you don't apply the SNAT to the Virtual Server and want to do it all with an iRule, something like this will work if the TESTLAN destination is a single subnet;
when CLIENT_CONNECTED {
 Check if the client source IP is from the internal network
 if { [IP::addr [IP::client_addr] equals 192.168.10/16] } {
  If so, check if the destination IP is in the TESTLAN
  if { [IP::addr [IP::local_addr] equals x.x.x.x/xx] } {
   If so, don't SNAT
   snat none }
   If not, SNAT
  else {
   snat 'name or snat here or specific address'
   }
 }
}

kim_kipp_49723 · Answer

Tried this already, but it doesn't work. when logging the value [IP::remote_addr] it's showing the client IP, same as [IP::client_addr]. This is very strange to me. Cross-checked it twice... Log example: "client 192.168.10.30 remote 192.168.10.30 SNAT yes" Might this happen because of the wildcard virtual server?

Forum Discussion

SNAT by Destination IP

10 Replies

Recent Discussions

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Related Content

Destination Snat Using DNS

Destination address at F5

SNAT IP address logging

Different policies same destination and pool

SNAT based on source and destination