SNAT I rule

Question

I have a irule that will read the assigned VIP and assign the same 4th octect to the SNAT address.
when CLIENT_ACCEPTED {
    scan [IP::local_addr] "%d.%d.%*d.%d" lastoctet
    snat 10.1.91.$lastoctet}&nbsp;
This rule works fine, if a VIP is lets say 10.1.90.100 the irule will set the SNAT address for the internal network as 10.1.91.100.  There is a SNAT pool of addresses for this function.  My question is how can I make this work for another network if required.  Lets say for networks 92 &amp; 93. Do I need to have an absolute in the scan for the subnet I am seeking?  I do I simply use the same irule and change the SNAT for the 93 network.  Still learning this iRule stuff here.&nbsp;
when CLIENT_ACCEPTED {
    scan [IP::local_addr] "%d.%d.92.%d" lastoctet
    snat 10.1.93.$lastoctet}&nbsp;

mohamed_lrhazi · Answer

Did you post the exact full iRule you are currently using? My guess is you need not change the scan matching pattern.... you use scan to extract the octets, regadless of what they are... then do whatever you want with the extracted substrings (octects).

rknudson_131750 · Answer

Thanks I think you are correct as well, trying to get a test network setup for this now.  Thnaks for the reply&nbsp;

rknudson_131750 · Answer

OK revisit of this post from last year.  I have this iRule in production and what I am learning is that the SNAT will use every address in the SNAT pool instead of just matching the 4th octect and sticking with it.  the iRule is

when CLIENT_ACCEPTED {
    scan [IP::local_addr] "%*d.%*d.%*d.%d" lastoctet
    snat 10.1.91.$lastoctet}

and the SNAT pool has all addresses for the 10.1.91.0/24 network.  It appears that it will roll through the snatpool for each new connection.  I would like to apply an iRule to any VIP and have it match the 4th octect of the VIP for all traffic that hits that VIP.  If I am not being clear let me know but I would like to resolve this to work as desired

Forum Discussion

SNAT I rule

3 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

SNAT IP address logging

Logging all AFM Rules

AFM Protocol Inspection rules for CVE-2022-3602 (aka SpookySSL)

F5 rules for AWS WAF Terraform

F5 Rules for AWS WAF - Rule ID to Attack Type Reference