Forum Discussion

Kevin_Nail's avatar
Kevin_Nail
Icon for Nimbostratus rankNimbostratus
Jun 10, 2008

disable SNAT on a forwarding virtual server

Hi,

 

 

My setup is a little bit strange. Our developers have placed some servers behind the LTM (their default routes point to the internal floating IP) but they are not being load-balanced nor a they a part of a pool. We recently created a forwarding virtual server to allow them to ping abother server outside of the LTM (external vlan). The problem now, is that the same server for which they are pinging is attempting to initiate communcations back to them and they are SNAT'd. How can I disable able the SNAT address for only those particular servers and only when they are contacted by the one server on the external side? What would the irule look like and where should it be attached? I thought about using the server_connected command but didn't know where to put it. Any help is greatl appreciated.

2 Replies

  • How are you SNATing? Are you using the SNAT Pool Automap on the Virtual Forwarding server?

     

     

  • You can disable SNAT for specific source addresses and/or specific destination addresses, using 'snat none' (Click here) in an iRule. For individual addresses or networks, you can use the IP::addr command to performm the evaluation (Click here). If there are multiple hosts/networks you want to not SNAT for, you can add them to a datagroup of type 'address' and then use the matchclass command (Click here).

    Here are a couple of examples:

     
     when CLIENT_CONNECTED { 
      
         Check if the source IP address is part of the 10.0.0.0/255.0.0.0 network 
        if {[IP::addr [IP::client_addr]/8 equals 10.0.0.0]}{ 
      
            Disable SNAT for this connection 
           snat none 
        } 
     } 
     

     
     when CLIENT_CONNECTED { 
      
         Check if the source IP address is part of the 10.1.0.0/255.255.0.0 network  
           and the destination address is part of the 10.2.0.0/255.255.0.0 network 
        if {[IP::addr [IP::client_addr]/16 equals 10.1.0.0] && [IP::addr [IP::local_addr]/8 equals 10.2.0.0]}{ 
      
            Disable SNAT for this connection 
           snat none 
        } 
     } 
     

     
     class no_snat_source_networks { 
        network 10.1.0.0 netmask 255.255.0.0 
        network 192.168.0.0 mask 255.255.0.0 
        host 10.2.1.1 
     } 
     

     
     when CLIENT_CONNECTED { 
      
         Check if the source IP address is part of the no_snat_source_networks datagroup 
        if {[matchclass [IP::client_addr] equals $::no_snat_source_networks]}{ 
      
            Disable SNAT for this connection 
           snat none 
        } 
     } 
     

    Aaron