Home About Contact me

Home » F5 BIG-IP » F5 BIG-IP – Apply SNAT to client subnet or IP SUBSCRIBE RSS OR EMAIL

← Previous Next →
RSS Reader

Email subscription Ok
F5 BIG-IP – Apply SNAT to client subnet or IP
Posted on August 17, 2017 RECENT POSTS

Home Server (7) – Install Linux

Debian virtual machine in ESX
In certain scenarios it can be interes ng or necessary to apply SNAT only to certain client IPs when accesing a virtual
server to f.e. avoid assymetric routes, when the server gateway is not the F5… (take a look at this link for more Home Server (6) – Create RAID1
examples). disk array

These are the steps (im using BIG IP v13)… Exchange – Update to fix
escala on privilege vulnerability

Contents [hide] Exchange – New vulnerability that

allows privilege escala on
1 Create a SNAT pool
2 Create IRULE
Home Server (5) – VMWare ESXi
3 Assign IRULE to POOL
6.5 installa on
4 Check IRULE is working correctly
4.1 Command “show sys conn”
4.2 Log file /var/log/LTM RECENT COMMENTS

Ranjan on Powershell – Schedule a task on

a list of servers remotely
Create a SNAT pool
Anthony on Windows – .NET Framework
4.7.1 install stuck / hangs
I prefer the SNAT to be applied by using certain IP, so I have to create a SNAT pool.
Jeremy on Exchange 2013 – Assign
Local Traffic – Address Transla on – SNAT Pool List – <Create>
permissions to book room resources
Bassem on HW – Install SSD in laptop and
replace DVD
Nagendra on Windows – .NET Framework
4.7.1 install stuck / hangs

C ATEGORIES

Apache
Checkpoint FW
Excel
Exchange
F5 BIG-IP
Home Server
HW
Icinga
Ironport
Linux
Lync
Nagios
O opic
Outlook
Powershell
Raspberry
Security
Sysadmin
VMWare
Assign name and iP(s) to use as translated source IP
Windows

Create IRULE

Before crea ng the IRULE we need to know 3 “values”:

– client IP(s) to which we want to apply the SNAT
– Name of the virtual server POOL of the virtual server we want the SNAT to apply to
– Name of the SNAT POOL created on the previous step

Local Traffic – IRules – IRule List – <Create>

Assign name and set the following code (in red my own example values. Replace them with yours)

when CLIENT_ACCEPTED {
log local0. "client:"
if { [IP::client_addr] contains "192.168.190." } {
pool POOL_EXCHANGE
snatpool SNAT_POOL_LAN
}
}

Assign IRULE to POOL

Local Traffic – Virtual Servers – Virtual Server List – <Select VS> – Resources

Assign the newly created IRule in the IRules sec on

Check IRULE is working correctly

Command “show sys conn”

By using the “show sys conn” TMSH command you can check ac ve connec on (filtering by virtual server IP for
example).

For example, my VS_EXCHANGE virtual server has an 192.168.206.233 IP.

To check the connec ons:

# tmsh show sys conn cs-server-addr 192.168.206.233%1

The ouput shows: <original client IP> <virtual server IP> <translated client IP> <server IP>

As you can see, when the client IP does not contain “192.168.190.”, the IP is not translated.
However, the “192.168.190.126” client IP was translated to the one defined in the SNAT pool (192.168.190.250).

Log file /var/log/LTM

/var/log/ltm file can also show if the IRule is being applied:

# tail -f /var/log/ltm | grep IRULE_SNAT_EXCHANGE

Aug 17 10:24:05 BigIP1 info tmm3[28767]: Rule /LAN/IRULE_SNAT_EXCHANGE <CLIENT_ACCEPTED>:
client:
Aug 17 10:24:05 BigIP1 info tmm2[28767]: Rule /LAN/IRULE_SNAT_EXCHANGE <CLIENT_ACCEPTED>:
client:

This entry was posted in F5 BIG-IP and tagged bigip, F5, howto, nat, TCP/IP by Sysadmin SomoIT. Bookmark the permalink.

Leave a Reply
Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Post Comment

SomoIT 2019