Sie sind auf Seite 1von 1
Home About Contact me Home » F5 BIG-IP » F5 BIG-IP – Apply SNAT to

Home » F5 BIG-IP » F5 BIG-IP – Apply SNAT to client subnet or IP

SUBSCRIBE RSS OR EMAIL

to client subnet or IP SUBSCRIBE RSS OR EMAIL ← Previous F5 BIG-IP – Apply SNAT

F5 BIG-IP – Apply SNAT to client subnet or IP

Email subscription

Ok
Ok

Posted on August 17, 2017

In certain scenarios it can be interes ng or necessary to apply SNAT only to certain client IPs when accesing a virtual server to f.e. avoid assymetric routes, when the server gateway is not the F5… (take a look at this link for more examples).

RECENT POSTS

These are the steps (im using BIG IP v13)…

Contents [hide]

1 Create a SNAT pool

2 Create IRULE

3 Assign IRULE to POOL

4 Check IRULE is working correctly

4.1 Command “show sys conn”

4.2 Log file /var/log/LTM

Create a SNAT pool

I prefer the SNAT to be applied by using certain IP, so I have to create a SNAT pool. Local Traffic – Address Transla on – SNAT Pool List – <Create>

Transla on – SNAT Pool List – <Create> Assign name and iP(s) to use as translated

Assign name and iP(s) to use as translated source IP

Assign name and iP(s) to use as translated source IP escala on privilege vulnerability Exchange –
Assign name and iP(s) to use as translated source IP escala on privilege vulnerability Exchange –

RECENT COMMENTS

CATEGORIES

Create IRULE

Before crea ng the IRULE we need to know 3 “values”:

client IP(s) to which we want to apply the SNAT

– Name of the virtual server POOL of the virtual server we want the SNAT to apply to

– Name of the SNAT POOL created on the previous step

Local Traffic – IRules – IRule List – <Create>

Local Traffic – IRules – IRule List – <Create> Assign name and set the following code

Assign name and set the following code (in red my own example values. Replace them with yours)

when CLIENT_ACCEPTED { log local0. "client:" if { [IP::client_addr] contains "192.168.190." } { pool POOL_EXCHANGE snatpool SNAT_POOL_LAN

}

}

} { pool POOL_EXCHANGE snatpool SNAT_POOL_LAN } } Assign IRULE to POOL Local Traffic – Virtual

Assign IRULE to POOL

Local Traffic – Virtual Servers – Virtual Server List – <Select VS> – Resources

Assign the newly created IRule in the IRules sec on

Assign the newly created IRule in the IRules sec on Check IRULE is working correctly Command

Check IRULE is working correctly

Command “show sys conn”

By using the “show sys conn” TMSH command you can check ac ve connec on (filtering by virtual server IP for example).

For example, my VS_EXCHANGE virtual server has an 192.168.206.233 IP. To check the connec ons:

# tmsh show sys conn cs-server-addr 192.168.206.233%1

The ouput shows: <original client IP> <virtual server IP> <translated client IP> <server IP>

IP> <translated client IP> <server IP> As you can see, when the client IP does not

As you can see, when the client IP does not contain “192.168.190.”, the IP is not translated. However, the “192.168.190.126” client IP was translated to the one defined in the SNAT pool (192.168.190.250).

Log file /var/log/LTM

/var/log/ltm file can also show if the IRule is being applied:

# tail -f /var/log/ltm | grep IRULE_SNAT_EXCHANGE

Aug 17 10:24:05 BigIP1 info tmm3[28767]: Rule /LAN/IRULE_SNAT_EXCHANGE <CLIENT_ACCEPTED>:

client:

Aug 17 10:24:05 BigIP1 info tmm2[28767]: Rule /LAN/IRULE_SNAT_EXCHANGE <CLIENT_ACCEPTED>:

client:

This entry was posted in F5 BIG-IP and tagged bigip, F5, howto, nat, TCP/IP by Sysadmin SomoIT. Bookmark the permalink.

Leave a Reply Your email address will not be published. Required fields are marked *
Leave a Reply
Your email address will not be published. Required fields are marked *
Comment
Name
*
Email
*
Website
PostPost CommentComment
not be published. Required fields are marked * Comment Name * Email * Website PostPost CommentComment