Forum Discussion

Elias_O_16228's avatar
Elias_O_16228
Icon for Nimbostratus rankNimbostratus
Jun 18, 2017

Two SNAT iRULE with same Origin IP addresses

I have two SNATs (SNAT1 and SNAT2) all in the same VLAN working just fine. Now, I want SNAT1 also to translate port 80 traffic to SNAT2 (this is snat pool) virtual servers based on url (e.g. abc.com) or its internal DNS resolved ip address, or else translate everything to SNAT2 virtual server. That is, if port 80, translate to SNAT2, if port 443 continue translate to SNAT1 as default SNAT

 

Scenario: SNAT1 origin IP addresses: 10.10.20.23 10.10.20.24 10.10.20.25

 

SNAT Translated to a virtual server 10.20.20.9

 

SNAT2 (SNAT Pool) origin IP addresses: 10.10.20.33 10.10.20.34 10.10.20.35 10.10.20.36 10.10.20.37 10.10.20.38

 

Translated to a virtual server 10.30.30.9

 

Below is the closest I can get combing DevCentral.

 

when CLIENT_ACCEPTED {

 

switch [TCP::local_port] { "80" { if {[matchclass [IP::local_addr] equals $::the_destination_ip] and [matchclass [IP::client_addr] equals $::the_source_ip]} {

 

log local0. "[IP::client_addr]: using SNAT2 for [IP::local_addr]" snat 10.30.30.9

 

} else {

 

log local0. "[IP::client_addr]: using SNAT1 for [IP::local_addr]"

 

snat 10.20.20.9

 

}

 

}

 

Thanks in advance

 

Elias_O

 

devops
iRules
LTM
security

2 Replies

Sort By
  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for MVP rankMVP
    Jun 19, 2017

    Unsure If I understood the complete requirement.

    "That is, if port 80, translate to SNAT2, if port 443 continue translate to SNAT1 as default SNAT"

    If you want ssl traffic to be SNAT1, put SNAT2VIP on the VS 443 and on the VS 80 put SNAT2POOL.

  • Elias_O_16228's avatar
    Elias_O_16228
    Icon for Nimbostratus rankNimbostratus
    Jun 19, 2017

    Hi Jaikumar,

     

    Thanks for your response.

     

    The SNAT1 VIP is currently 443 and SNAT2 VIP is only port 80.

     

    I want some SSL traffic going through SNAT2 as well (443 and 80).

     

    The SNAT1 traffic is only to two destinations, which could be URL or IP address.

     

    The goal is to add https traffic to SNAT2 (https and http) via irule.

     

    If https and http SNAT to SNAT2 virtual IP (default)

     

    If https://www.abc123.com and/or https://www.utts123.com SNAT to SNAT1 virtual server.

     

    I am running version 12.1.1. There used to be SNAT rule on version 10.x where you can define the ip addresses, but it appears missing on 12.x.