I have a virtual server for inbound ftp connections Virtual server: 1.1.1.1:21, using the standard FTP profile and source_addr persistence, 30 min timeout Pool Members: 10.0.0.10:21 10.0.0.11:21 I also have a wildcard IP forwarding virtual server to enable full routing on the LTM: destination: 0.0.0.0 source: 0.0.0.0 How can I SNAT outbound FTP connections from 10.0.0.10 and 10.0.0.11 (originating from the pool members on the stardard ftp control port 21, with ftp-data on port 20) to the virtual server ip: 1.1.1.1, and allow all other outbound connections to pass normally without being SNATTED? Can this be done via an "Intelligent SNAT" / iRule on the wildcard IP forwarding virtual server? Any help would be greatly appreciated

Hi John, You need to create a Sant List. 1. Go to LocalTraffic>AddressTranslation>SNAT List 2. Create New SnatList with following configuration: Translation | IP Address| 1.1.1.1 Origin | Address List 3.Add 10.0.0.10 and 10.0.0.11 to the Address List. Update. Snat List will be applied to all matching outbound connections. It doesn't need to be associated with vs.

But I only want to SNAT for outbound FTP connections only (port 21 and port 20), not SNAT for everything sourced from 10.0.0.10 and 10.0.0.11

https://devcentral.f5.com/questions/snat-irule-based-on-client-ip-address you will need something like above.

SNAT outbound connections from pool members to virtual server IP for a specific outbound port

16 Replies

alex100
Cirrostratus
Oct 16, 2015
Hi John, You need to create a Sant List. 1. Go to LocalTraffic>AddressTranslation>SNAT List 2. Create New SnatList with following configuration: Translation | IP Address| 1.1.1.1 Origin | Address List

3.Add 10.0.0.10 and 10.0.0.11 to the Address List. Update.

Snat List will be applied to all matching outbound connections. It doesn't need to be associated with vs.
JohnQuintas_910
Nimbostratus
Oct 16, 2015
But I only want to SNAT for outbound FTP connections only (port 21 and port 20), not SNAT for everything sourced from 10.0.0.10 and 10.0.0.11
anujl_5566
Nimbostratus
Oct 16, 2015
https://devcentral.f5.com/questions/snat-irule-based-on-client-ip-address

you will need something like above.

Andy_McGrath

Cumulonimbus

Oct 16, 2015

Think you will need an iRule like this to identify the client IP and tcp port for each outbound connection:

when CLIENT_ACCEPTED {
    if { [TCP::local_port] == 21] || [TCP::local_port] == 22] }{
        if { [IP::addr [IP::client_addr] equals 10.0.0.10] {
            snat 172.18.1.1
        } elseif { [IP::addr [IP::client_addr] equals 10.0.0.11] }{
            snat 172.18.1.1
        }
    }
}

JohnQuintas_910

Nimbostratus

Oct 20, 2015

Does this syntax look correct? I have a few more pairs of IPs that need SNATs...

when CLIENT_ACCEPTED {

if { [TCP::local_port] == 21] || [TCP::local_port] == 22] }{
    if { [IP::addr [IP::client_addr] equals 10.0.0.10] }{
        snat 172.18.1.1
    } elseif { [IP::addr [IP::client_addr] equals 10.0.0.11] }{
        snat 172.18.1.1
    } elseif { [IP::addr [IP::client_addr] equals 10.0.0.12] }{
        snat 172.18.1.2
    } elseif { [IP::addr [IP::client_addr] equals 10.0.0.13] }{
        snat 172.18.1.2
    } elseif { [IP::addr [IP::client_addr] equals 10.0.0.14] }{
        snat 172.18.1.3
    } elseif { [IP::addr [IP::client_addr] equals 10.0.0.15] }{
        snat 172.18.1.3
    }
}

}

JohnQuintas_910
Nimbostratus
Oct 20, 2015
Or is there a way to do this with a specific IP forwarding VIP (without using iRules on a the wildcard IP forwarding VIP)?
Stanislas_Piro2
Cumulonimbus
Oct 20, 2015
Hi,

First, when creating a forwarding VS, create a specific VS for FTP:

VS_OUT_FTP

Type Standard
Destination 0.0.0.0/0
profile ftp
translate disable (default when creating a VS with a network destination)
Pool none

This will allow FTP dynamic port to be handled as FTP Data connection.

After that, you can create the irule with switch instead of if, elseif, elseif, ..

when CLIENT_ACCEPTED { switch [IP::client_addr] { "10.0.0.10" - "10.0.0.11" { snat 172.18.1.1 } "10.0.0.12" - "10.0.0.13" { snat 172.18.1.2 } "10.0.0.14" - "10.0.0.15" { snat 172.18.1.3 } } }
Brad_Parker_139
Nacreous
Oct 20, 2015
You could create your VIP with dest 0.0.0.0:21 and source 10.0.0.10/31 and apply your SNAT pool to it. And then the same for port 20.
- Stanislas_Piro2
  Cumulonimbus
  Oct 20, 2015
  FTP data in active mode is not Client (port dynamic) --> server (port 20) but server (port 20) --> Client (port dynamic)
- Brad_Parker_139
  Nacreous
  Oct 20, 2015
  very true, your FTP profile solutions is more appropriate so the data channel is "known" by the LTM
Brad_Parker
Cirrus
Oct 20, 2015
You could create your VIP with dest 0.0.0.0:21 and source 10.0.0.10/31 and apply your SNAT pool to it. And then the same for port 20.
- Stanislas_Piro2
  Cumulonimbus
  Oct 20, 2015
  FTP data in active mode is not Client (port dynamic) --> server (port 20) but server (port 20) --> Client (port dynamic)
- Brad_Parker
  Cirrus
  Oct 20, 2015
  very true, your FTP profile solutions is more appropriate so the data channel is "known" by the LTM
JohnQuintas_910
Nimbostratus
Oct 20, 2015
So, you can create a ip forwarding rule for AnyIP:21 destination from a SingleIP:21 source?