Applies To:

Show Versions Show Versions

Manual Chapter: Configuration Guide for BIG-IP® Local Traffic Management: 11 - Configuring SNATs and NATs
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


11

Configuring SNATs and NATs


Introducing secure network address translation

A virtual server configured on a BIG-IP® local traffic management (LTM) system translates the destination IP address of an incoming packet to another destination IP address, for the purpose of load balancing that packet. Normally, the source IP address remains unchanged.

As an option, you can also create a secure network address translation (SNAT). A SNAT is an object that maps an original client IP address (that is, a source IP address) to a translation address that you choose. Thus, a SNAT causes the LTM system to translate the source IP address of an incoming packet to an address that you specify. The purpose of a SNAT is simple: to ensure that the target server sends its response back through the LTM system rather than to the original client IP address directly.

To create a SNAT, you either use the Configuration utility or write an iRule, depending on the type of SNAT you are creating.

Note

This type of translation has no effect on the destination address translation that a virtual server performs.

Examples of scenarios where a SNAT is useful are:

  • To connect to an external device that requires a routable return IP address
  • To connect to a virtual server with a node that is on the same IP subnet as the client

Tip


Because the purpose of a SNAT is simply to change the source IP address of incoming packets, the term secure network address translation is a slight misnomer. A better way to define the SNAT acronym would be source network address translation, or source NAT.

How does a SNAT work?

A SNAT works in the following way:

  1. The LTM system receives a packet from an original client IP address and checks to see if that source address is defined in a SNAT.
  2. If the client's IP address is defined in a SNAT, the LTM system changes that source IP address to the translation address defined in the SNAT.
  3. The LTM system then sends the client request, with the SNAT translation address as the source address, to the target server.

The end result of this process is that the target server has a routable IP address for the client that the server can specify as the destination IP address in its response.

Mapping original IP addresses to translation addresses

When you create a SNAT, you map an original IP address to a translation address in one of several ways, depending on your needs. For example, you can explicitly map an original IP address to a single translation address, or you can create a pool of translation addresses and map the original IP address to that pool of addresses.

Mapping a specific original IP address to a specific translation address

One way to create a SNAT is to directly map one or more original IP addresses to a specific translation address that you choose. A SNAT that you create in this way is a type of standard SNAT. A standard SNAT is a SNAT object that you create using the New SNAT screen of the Configuration utility. For more information on standard SNATs, see Implementing a SNAT .

Using the SNAT automap feature

Another way to create a SNAT is to use a feature of the LTM system called SNAT automap. The SNAT automap feature automatically maps one of the system's self IP addresses to the original IP address you specify during SNAT creation. When you use this feature, you do not need to explicitly specify a translation address.

A SNAT that you create in this way is a type of standard SNAT. For more information on standard SNATs, see Implementing a SNAT .

Mapping a specific original IP address to a pool of translation addresses

You can also create a SNAT by creating a pool of translation addresses and then mapping an original IP address to the entire translation pool. This pool of translation addresses is known as a SNAT pool. You create a SNAT pool using the New SNAT Pool screen of the Configuration utility. For information on creating a SNAT pool, see Implementing a SNAT .

Once you have created a SNAT pool and mapped it to an original IP address, and the virtual server then receives a packet from the original IP address, the LTM system chooses a translation address from that SNAT pool. The system then translates the original IP address to the chosen address.

You can map an original IP address to the SNAT pool in one of two ways:

  • By creating a SNAT object.
    A SNAT that you create this way, using the New SNAT screen in the Configuration utility, is a type of standard SNAT. For more information on standard SNATs, see Creating a standard SNAT .
  • By writing an iRule.
    In this case, you do not create a SNAT object. Instead, you write an iRule that includes a snat or snatpool command. The type of SNAT that you create by writing an iRule is called an intelligent SNAT. An intelligent SNAT is the mapping of one or more original client IP addresses to a translation address through the use of an iRule. For more information on intelligent SNATs, see Creating an intelligent SNAT .

Mapping all original IP addresses to a pool of translation addresses

Yet another way to create a SNAT is to create a SNAT pool (using the New SNAT Pool screen of the Configuration utility) and directly assign it to a virtual server as a resource of that virtual server. Once you have assigned a SNAT pool to a virtual server, the LTM system automatically maps all original IP addresses coming through the virtual server to that SNAT pool. As with intelligent SNATs, you do not create a SNAT object, with the New SNAT screen, in the Configuration utility. For more information on this type of SNAT, see Assigning a SNAT pool directly to a virtual server .

Creating a SNAT pool

If you decide that you want to use a SNAT pool as the way to specify translation addresses in your SNAT, you must first create the SNAT pool, specifying one or more translation addresses that you want to include in the SNAT pool. You create a SNAT pool using the Configuration utility. For background information on SNAT pools, see Mapping a specific original IP address to a pool of translation addresses .

After creating the SNAT pool, you then create the type of SNAT that best suits your needs (a standard SNAT, an intelligent SNAT, or a SNAT pool that you assign directly to a virtual server). To understand the different types of SNATs that you can create, see Implementing a SNAT .

A SNAT pool has two settings that you must configure when you create it. Table 11.1 lists and describes these settings.

Table 11.1 Properties of a SNAT pool
Property
Description
Default Value
Name
The unique name of the SNAT pool.
No default value
Member List
The list of IP addresses that you want to include in SNAT pool. If the IP addresses that you add are not already designated as translation addresses, the LTM system automatically designates them as such and assigns them the appropriate properties with their default values. This setting is required.
No default value

 

Each translation address that you add to the SNAT pool has settings that you can configure after you add the address to the SNAT pool. For information on these settings, see Specifying a translation address .

Once you create a SNAT pool, you must do one of the following:

To create a SNAT pool

  1. On the Main tab, expand Local Traffic.
  2. Click SNATs.
    This displays a list of existing SNATs.
  3. Click SNAT Pool List on the menu bar.
    This displays a list of existing SNAT pools.
  4. In the upper-right corner of the screen, click Create.
  5. For the Name setting, type a unique name for the SNAT pool.
  6. For the Member List setting, type an IP address.
  7. Click Add.
  8. Repeat steps 6 and 7 for each translation address that you want to add.
  9. Click Finished.

Implementing a SNAT

Before implementing secure network address translation, you should decide which type of SNAT you want to create. The types of SNATs you can create are:

  • Standard SNAT
    A standard SNAT is an object you create, using the Configuration utility, that specifies the mapping of one or more original client IP addresses to a translation address. For this type of SNAT, the criteria that the LTM system uses to decide when to apply the translation address is based strictly on the original IP address. That is, if a packet arrives from the original IP address that you specified in the SNAT, then the LTM system translates that address to the specified translation address.

    There are three types of standard SNATs that you can create:
    • A SNAT in which you specify a specific translation address
    • A SNAT that uses the automap feature
    • A SNAT in which you specify a SNAT pool as your translation address
  • Intelligent SNAT
    Like a standard SNAT, an intelligent SNAT is the mapping of one or more original client IP addresses to a translation address. However, you implement this type of SNAT mapping within an iRule instead of by creating a SNAT object. For this type of SNAT, the criteria that the LTM system uses to decide when to apply a translation address is based on any piece of data you specify within the iRule, such as an HTTP cookie or a server port.
  • SNAT pool assigned as a virtual server resource
    This type of SNAT consists of just a SNAT pool that you directly assign as a resource to a virtual server. When you implement this type of SNAT, you create a SNAT pool only; you do not need to create a SNAT object or an iRule.

For more information on mapping original IP addresses to translation addresses, see Mapping original IP addresses to translation addresses .

Creating a standard SNAT

You create a standard SNAT using the Configuration utility. The translation address or addresses that you map to an original IP address can be either a specific IP address, an existing SNAT pool, or a self IP address (using the automap feature).

When you create a standard SNAT, the LTM system automatically assigns a set of properties to the SNAT. While you must configure the Name and Translation settings at the time that you create the SNAT, you can use the default values for the other settings, or modify those values later.

To create a standard SNAT

  1. On the Main tab, expand Local Traffic.
  2. Click SNATs.
    This displays a list of existing SNATs.
  3. In the upper-right corner of the screen, click Create.
  4. For the Name setting, type a unique name for the SNAT.
  5. For the Translation setting, select IP Address, SNAT Pool, or Automap.
  6. If you selected IP Address or SNAT Pool, type an IP address or select a SNAT pool name.
  7. Change or retain all other values.
  8. Click Finished.

Table 11.2 shows the settings that you can configure for a SNAT. Following the table are detailed descriptions of each setting.

Table 11.2 Properties of a standard SNAT
Property
Description
Default Value
Name
Specifies the unique name of the standard SNAT. Setting this property is required.
No default value
Translation
Depending on the value selected, specifies an individual IP address, a SNAT pool name, or the Automap option. Possible values are: IP Address, SNAT Pool, or Automap.
Automap
Origin
Specifies the original client IP addresses to which you want to map a translation address or pool of translation or self IP addresses. Possible values are All Addresses or Address List.
All Addresses
VLAN Traffic
The VLAN to which you want the SNAT to apply. Possible values are: ALL VLANS, Enabled On, and Disabled On.
ALL VLANS

 

Specifying a SNAT name

The most basic setting you can configure for a standard SNAT is the SNAT name. SNAT names are case-sensitive and may contain letters, numbers, and underscores (_) only. Reserved keywords are not allowed.

Each SNAT that you define must have a unique name.

Specifying a translation address

The Translation setting specifies the translation addresses that you want to map to your original client IP addresses. For background information on translation addresses, see Mapping original IP addresses to translation addresses .

There are three possible values for the Translation setting:

  • IP Address
    When creating a SNAT, you can specify a particular IP address that you want the SNAT to use as a translation address. For the procedure on specifying a particular translation address, see To explicitly define a translation address .
  • SNAT pool
    Specifying this value allows you to specify an existing SNAT pool to which you want to map your original client IP address. For information on SNAT pools and how to create them, see Creating a SNAT pool . For an example of a standard SNAT that uses a SNAT pool, see Example 1 - Establishing a standard SNAT that uses a SNAT pool .
  • Automap
    Similar to a SNAT pool, the SNAT automap feature allows you to map one or more original client IP addresses to a pool of translation addresses. However, with the SNAT automap feature, you do not need to create the pool. Instead, the LTM system effectively creates a pool for you, using all of the LTM system's self IP addresses as the translation addresses for the pool.

When you specify a translation address or a SNAT pool, the LTM system automatically assigns a set of properties to that translation address. You can use the default values for these properties, or you can change them to suit your needs. Table 11.3 lists and describes the properties of a translation address.

Table 11.3 Properties of a SNAT translation address
Property
Description
Default Value
IP address
The IP address that you want to designate as a translation address. This is a required setting.
No default value
State
The state of the translation address, that is, enabled or disabled. If set to disabled, the translation address is not used to initiate a connection.
Enabled
ARP
A setting that determines whether or not the LTM system responds to ARP requests or sends gratuitous ARPs.
Enabled
Connection Limit
A limit on the number of connections a translation address must reach before it no longer initiates a connection. The default value of 0 indicates that the setting is disabled.
0
TCP Idle Timeout
A timer that defines the number of seconds that TCP connections initiated using a SNAT address are allowed to remain idle before being automatically disconnected. Possible values are Indefinite or Specify.
Indefinite
UDP Idle Timeout
A timer that defines the number of seconds that UDP connections initiated using a SNAT address are allowed to remain idle before being automatically disconnected. Possible values are Indefinite or Specify.
Indefinite
IP Idle Timeout
A timer that defines the number of seconds that IP connections initiated using a SNAT address are allowed to remain idle before being automatically disconnected. Possible values are Indefinite or Specify.
Indefinite

 

Specifying original IP addresses

The Origin setting specifies the original client IP addresses that you want to map to translation addresses. You can add one IP address or multiple IP addresses as values for this setting.

Specifying VLAN traffic

The VLAN Traffic setting specifies the VLANs to which you want the SNAT to apply. Possible values are: ALL VLANS, Enabled On, and Disabled On.

Creating an intelligent SNAT

One way to perform secure address translation is to create an intelligent SNAT. As described previously, an intelligent SNAT is not a SNAT object, but instead an iRule that maps of one or more original client IP addresses to a translation address. To create an intelligent SNAT, you must complete these tasks:

  • If you are mapping an original IP address to a SNAT pool (as opposed to an individual translation address), use the New SNAT Pools screen to create one or more SNAT pools that include those translation addresses as members. For more information, see To create a SNAT pool .
  • Use the New Rules screen to create an iRule that includes the snat or snatpool command. These iRule commands specify the translation address or the pool of translation addresses that the LTM system should use to select a translation address. For more information on iRulesTM, see Chapter 13, Writing iRules .
  • From the Resources screen for the appropriate virtual server, assign the iRule as a resource to the virtual server. For more information on virtual servers, see Chapter 2, Configuring Virtual Servers .
Note

For an example of an intelligent SNAT, see Example 2 - Establishing an intelligent SNAT .

Assigning a SNAT pool directly to a virtual server

Rather than creating a SNAT object, or an intelligent SNAT using an iRule, you have the option of simply creating a SNAT pool and then assigning it as a resource directly to a virtual server. This eliminates the need for you to explicitly define original IP addresses to which to map translation addresses.

Implementing a NAT

A network translation address (NAT) provides an alias IP address that a node can use as its source IP address when making or receiving connections to clients on the external network. (This distinguishes it from a SNAT, which can initiate but not receive a connection.)

The IP addresses that identify nodes on the internal network need not be routable on the external network. This protects nodes from illegal connection attempts, but it also prevents nodes (and other hosts on the internal network) from receiving direct administrative connections, or from initiating connections to external servers, such as mail servers or databases.

Using NATs solves this problem. NATs assign to a particular node a routable IP address that the node can use as its source IP address when connecting to external servers. You can use the NAT IP address to connect directly to the node through the LTM system, rather than having the LTM system send the traffic to a random node according to the specified load balancing method.

Note

Note that NATs do not support port translation, and are not appropriate for protocols that embed IP addresses in the packet, such as FTP, NT Domain or CORBA IIOP.

You must create a separate NAT for each node, using the Configuration utility. When you create a NAT, you configure a set of properties. While you must configure the NAT Address and Origin Address settings at the time that you create the NAT, you can use the default values for the other settings, or modify those values later.

To create a NAT

  1. On the Main tab, expand Local Traffic.
  2. Click SNATs.
    The SNATs screen opens.
  3. Click the NAT List menu.
  4. In the upper right corner, click Create.
    The New NAT screen opens.
  5. In the NAT Address box, type the IP address that you want to use as a translation address.
  6. In the Origin Address box, type the original client IP address to be translated.
  7. Retain or modify all other values as necessary.
  8. Click Finished.

Table 11.4 shows the settings that you can configure for a NAT, with a description of each.

Table 11.4 NAT configuration settings
NAT Attribute
Description
Default Value
NAT Address
An IP address that is routable on the external network of the LTM system.
No default value
Origin Address
The original address is the node IP address of a host that you want to be able to connect to through the NAT.
No default value
State
The state of the NAT, that is, whether the NAT is enabled or disabled.
Enabled
ARP
A setting that instructs the LTM system to respond to ARP requests from the specified NAT address, and send gratuitous ARP requests for router table updates.
Enabled
VLAN Traffic
VLANs to which the NAT is not to be mapped can be explicitly disabled, as when there is more than one internal VLAN.
All VLANS

 

In addition to these options, you can set up forwarding virtual servers that allow you to selectively forward traffic to specific addresses.

Additional restrictions

When using a NAT, you should be aware of the following restrictions:

  • The IP address defined in the Origin Address box must be routable to a specific server behind the system.
  • You must delete a NAT before you can redefine it.

Managing SNATs and NATs

Using the Configuration utility, you can manage existing SNATs in many ways. For example, you might want to view a list of existing SNAT pools before creating a new one. Or you might want to modify the way that a standard SNAT maps an original IP address to a translation address.

That tasks that you can perform when managing SNATs are:

  • Viewing or modify a SNAT or NAT, or a SNAT pool
  • Defining or viewing translation addresses
  • Deleting SNATs or NATs, SNAT pools, and translation addresses
  • Enabling or disabling SNATs or NATs for a load balancing pool
  • Enabling or disabling SNAT or NAT translation addresses

Viewing or modifying SNATs, NATs, and SNAT pools

You can view or modify any SNATs, NATS, or SNAT pools that you created previously.

To view or modify a SNAT or NAT

  1. On the Main tab, expand Local Traffic.
  2. Click SNATs.
    This displays a list of existing SNATs.
  3. Select the type of item you want to view:
    • If you want to view or modify a SNAT, click a SNAT name.
    • If you want to view or modify a NAT, find the NAT List menu, and click a NAT address.
  4. View or modify the displayed settings.
  5. If you modified any settings, click Update.

To view or modify a SNAT pool

  1. On the Main tab, expand Local Traffic.
  2. Click SNATs.
    This displays a list of existing SNATs.
  3. On the menu bar, click the SNAT Pool List menu.
    This displays a list of existing SNAT pools.
  4. Click a SNAT pool name.
  5. View or modify the displayed settings.
  6. If you modified any settings, click Update.

Defining and viewing translation addresses

You can define a translation address or view any existing translation addresses the you defined previously.

To explicitly define a translation address

  1. On the Main tab, expand Local Traffic.
  2. Click SNATs.
  3. On the menu bar, click the SNAT Translation List menu.
    This displays any existing translation addresses.
  4. In the upper-right corner of the screen, click Create.
  5. Retain or change all property settings.
  6. Click Finished.

To view translation addresses

  1. On the Main tab, expand Local Traffic.
  2. Click SNATs.
    This displays a list of existing SNATs.
  3. On the menu bar, click the SNAT Translation List menu.
    This displays a list of existing translation addresses.
  4. Click a translation address.
  5. View or modify the displayed settings.
  6. If you modified any settings, click Update.

Deleting SNATs, NATs, SNAT pools, and translation addresses

You can delete any existing SNAT, NAT, SNAT pool, or translation address that you created previously.

Note

When you delete a SNAT, the BIG-IP system only deletes the SNAT if no connection is actively using it. To delete SNATs that are still in use, you must issue the bigstart restart command.

To delete a SNAT or a NAT

  1. On the Main tab, expand Local Traffic.
  2. Click SNATs.
    This displays a list of existing SNATs.
  3. Select the type of item you want to delete:
    • If you want to delete a SNAT, locate the SNAT you want to delete, and check the Select box on the left.
    • If you want to delete a NAT, click the NAT List menu, locate the NAT you want to delete, and check the Select box to the left.
  4. At the bottom of the screen, click Delete.

To delete a SNAT pool

  1. On the Main tab, expand Local Traffic.
  2. Click SNATs.
    This displays a list of existing SNATs.
  3. On the menu bar, click the SNAT Pool List menu.
    This displays a list of existing SNAT pools.
  4. Locate the SNAT pool you want to delete, and check the Select box to the left.
  5. At the bottom of the screen, click Delete.

To delete a translation address

  1. On the Main tab, expand Local Traffic.
  2. Click SNATs.
    This displays a list of existing SNATs.
  3. On the menu bar, click the SNAT Translation List menu
    This displays a list of existing translation addresses.
  4. Locate the translation address you want to delete, and check the Select box to the left.
  5. At the bottom of the screen, click Delete.

Enabling or disabling SNATs or NATs for a load balancing pool

When configuring a load balancing pool, you can specifically disable SNAT or NAT translations on any connections that use that pool. By default, this setting is enabled. For more information, see Chapter 4, Configuring Load Balancing Pools .

Enabling or disabling SNAT translation addresses

Using the Configuration utility, you can enable or disable an individual SNAT translation address.

To enable or disable a SNAT translation address

  1. On the Main tab, expand Local Traffic.
  2. Click SNATs.
  3. On the menu bar, click the SNAT Translation List menu.
  4. Locate the translation address you want to enable or disable, and check the Select the box to the left.
  5. At the bottom of the screen, click Enable or Disable.

SNAT examples

The following examples demonstrate ways to implement SNATs that make use of SNAT pools. The examples illustrate how you can:

  • Establish a standard SNAT that uses a SNAT pool
  • Establish an intelligent SNAT
Note

To best illustrate SNATs that use SNAT pools, the following examples show sample entries from the LTM system's bigip.conf file. Entries in the bigip.conf file represent the result of using the Configuration utility to configure the LTM system.

Example 1 - Establishing a standard SNAT that uses a SNAT pool

In some cases, you might need to create a SNAT that maps an original IP address to a SNAT pool instead of to an individual translation address. To illustrate this type of SNAT, suppose an ISP wants to provide two customers with two routable IP addresses each, for links to the Internet. The customers need to use these routable IP addresses as virtual IP addresses for inbound traffic to their own servers, and as translation addresses for outbound traffic from their servers.

In this case, the SNAT provides the solution. To implement the SNAT, the ISP takes the following three steps.

First, the ISP creates the load balancing pool isp_pool, shown in Figure 11.1 .

Figure 11.1 bigip.conf entries for a basic load balancing pool
pool isp_pool {
lb_method rr
member 199.5.6.254:0
member 207.8.9.254:0
}

Next, the ISP creates three SNAT pools: customer1_snatpool, customer2_snatpool, and other_snatpool. This is shown in Figure 11.2 . Note that the LTM system automatically designates the SNAT pool members as translation addresses.

Figure 11.2 bigip.conf entries for three SNAT pools
snatpool customer1_snatpool { 
member 199.5.6.10
member 207.8.9.10
}
snatpool customer2_snatpool {
member 199.5.6.20
member 207.8.9.20
}
snatpool other_snatpool {
member 199.5.6.30
member 207.8.9.30
}

Finally, using the Configuration utility, the ISP creates a SNAT that maps each original IP address directly to the appropriate SNAT pool. Figure 11.3 shows these mappings as they appear in the bigip.conf file.

Figure 11.3 bigip.conf entries that map original addresses to SNAT pools
snat map {
192.1.1.10 192.1.1.11 to snatpool customer1_snatpool
}

snat map {
192.1.1.20 192.1.1.21 to snatpool customer2_snatpool
}

snat map default to snatpool other_snatpool

Example 2 - Establishing an intelligent SNAT

If you want to base SNAT mapping on criteria other than the original client IP address, such as a server port, you can write an iRule and specify a SNAT pool within the iRule. In this case, you use the SNAT screens in the Configuration utility to create a SNAT pool only, and not an actual SNAT object.

For example, suppose a user such as an ISP has two redundant connections to the Internet. In addition, the ISP handles many simultaneous CHAT connections (using port 531), and wants to avoid exhausting the supply of server-side client ports. Finally, the ISP wants to collect statistics separately for CHAT, SMTP, and all other traffic. In this case, configuring an intelligent SNAT is the best way to choose the translation address.

To implement the intelligent SNAT, the ISP takes the following steps.

First, the ISP creates a load balancing pool called out_pool. In the bigip.conf file, the pool looks like the sample in Figure 11.4 .

Figure 11.4 bigip.conf entries for a pool to be used in an intelligent SNAT
pool out_pool {
lb_method round_robin
member 199.5.6.254:0
member 207.8.9.254:0
}

Next, as shown in Figure 11.5 , the ISP uses the Configuration utility to create a SNAT pool called chat_snatpool containing four IP addresses: 199.5.6.10, 199.5.6.11, 207.8.9.10, and 207.8.9.11. The LTM system automatically designates these IP addresses as translation addresses during creation of the SNAT pool. These addresses correspond to each of the two next hop networks that are to be used for CHAT traffic. In the bigip.conf file, the SNAT pool looks like the sample in Figure 11.5 .

Figure 11.5 A SNAT pool definition for CHAT traffic
snatpool chat_snatpool {
member 199.5.6.10
member 199.5.6.11
member 207.8.9.10
member 207.8.9.11
}

Next, for each translation address, the ISP uses the Configuration utility to change the timeout value for TCP connections to 600.

Then the ISP creates a second SNAT pool, smtp_snatpool containing two translation addresses: 199.5.6.20 and 207.8.9.20. Each address corresponds to one of the two next hop networks that are to be used for SMTP traffic. In the bigip.conf file, the SNAT pool looks like the sample in Figure 11.6 .

Figure 11.6 A SNAT pool definition for SMTP traffic
snatpool smtp_snatpool {
member 199.5.6.20
member 207.8.9.20
}

Next, the ISP creates the SNAT pool other_snatpool for all other traffic (that is, non-CHAT and non-SMTP traffic), where each IP address corresponds to one of the two next hop networks that are to be used by all other traffic. This is shown in Figure 11.7 .

Figure 11.7 A SNAT pool definition for all other traffic
snatpool other_snatpool { \SNAT pool definition
member 199.5.6.30
member 207.8.9.30
}

Then the ISP writes an iRule that selects both a SNAT pool, based on the server port of the initiating packet, and the load balancing pool out_pool. Figure 11.9 , shows how the iRule specifies the command TCP::local_port to indicate the type of packet data to be used as a basis for selecting translation addresses. The iRule also shows the command snatpool (shown in figure 11.8 ) to specify the SNAT pools from which the LTM system is to select the translation addresses.

Figure 11.8 Example of an iRule that references an intelligent SNAT
rule my_iRule {
when SERVER_CONNECTED
if ( TCP::local_port equals 531 ) {
use snatpool chat_snatpool
}
else if ( TCP::local_port equals 25 ) {
use snatpool smtp_snatpool
}
else {
use snatpool other_snatpool
}
use pool out_pool
}

The if statement in the iRule instructs the LTM system to test the value of server port specified in the header of the client request. Based on the results, the LTM system selects both a SNAT pool and a load balancing pool.

As a final step, the ISP assigns the iRule as a resource to a wildcard virtual server, as shown in Figure 11.9 .

Figure 11.9 Assignment of an iRule to a wildcard virtual server
virtual 0.0.0.0:0 use rule my_iRule




Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)