Forum Discussion

Kevin_Nail's avatar
Kevin_Nail
Icon for Nimbostratus rankNimbostratus
Aug 23, 2007

Selective SNAT setup

Thanks for reading, any help would be appreciated. Here is my setup

 

 

US based LTM in DMZ

 

 

pool AMK_US

 

member 192.168.x.x (behind the local LTM)

 

member 192.55.x.x (on a server in Singapore)

 

 

Virtual server

 

 

192.55.x.x

 

 

We have a vlan called internal_5 setup with an ip of 192.168.x.x on the LTM.

 

 

Here is what we want to do:

 

 

1. When a request comes in from a business partner in the US, if the US pool member is up, traffic is sent to it.

 

 

2. If that pool member is down then the traffic will be routed to Singapore.

 

 

We have added a static route to the LTM to use the 192.168.x.x IP as it's route to get out. Problem is that we need to have that and only that traffic SNAT'd so that it returns to the LTM. There is also another default SNAT in place for other internal nodes on the LTM.

 

 

How can we create an iRule that will SNAT traffic that comes in the 192.55.x.x VIP and leaves for 192.55.a.x via the 192.168.x.x IP without affecting anything else?

 

 

Also the question comes to mind, should the iRule be applied to the 192.55.x.x VIP only and on what interface (external - to outside or internal - to behind LTM)

 

 

Thanks,

 

Kevin

3 Replies

  • Hi,

    You can write a rule and apply it only to the 192.55.21.x VIP that looks for requests being load balanced to one remote node and applies SNAT automap. Here is an example:

    
    when LB_SELECTED {
       if {[IP::addr [LB::server addr] equals 192.55.17.x]}{
          snat automap
       }
    }

    [LB::server addr] returns the IP address for the node which has been selected to receive the request.

    You can check the 'snat' command for more examples: (Click here)

    Aaron
  • I think the concern was that only those requests that arrive on the internal_5 vlan would be snatted, but I couldn't quite tell. I was trying to get LINK::vlan_id to return something, but haven't been able to on my lab pair (9.4.2 beta) I was thinking of setting a variable in the CLIENT_ACCEPTED event with the link vlan ID so it could be ANDed with the remote server IP before snatting, but I've never used that before and wanted to test prior to posting.