Options

Conditional SNAT

mcyorkmcyork Member ✭✭
in System
I'd like to SNAT only one subnet of source IP addresses and have the remaining (0.0.0.0) IP addresses SLB as normal. Using an ACL I can nat to different pools however I have not found a combination or pool that will SNAT one network and SLB the rest of the traffic.

Ideas - pointers?

clients ---- AX ---- servers

All clients talk to a VIP on the left of the AX. SLB
Desire servers to also talk to the VIP on the left however need SNAT to hide their own source IP.

Thank you
Tagged:

Comments

  • Options
    [Deleted User][Deleted User]
    edited February 2014
    The best way to accomplish this is with a aFlex script similar to the following.

    when CLIENT_ACCEPTED {
    if { [IP::addr [IP::client_addr] equals 192.168.1.0/24] } {
    snatpool snatpool_name
    }
    }

    "snatpool_name" in this example is created through the command line or GUI. "192.168.1.0/24" should be replaced with the client side network you mentioned. The ACLs should be taken into account as well. All other requests besides those originating from 192.168.1.0/24 will be treated without being SNAT'd.
  • Options
    mcyorkmcyork Member ✭✭
    edited February 2014
    ok - I will try this approach. The AFlex documentation implies it will not function as mentioned for you need an existing SNAT on the port before you can manipulate the SNAT pools via snatpool keywords. I will explore.
  • Options
    [Deleted User][Deleted User]
    edited February 2014
    I've tested this and the documentation is correct. You have to have a SNAT pool assigned to the virtual port in order to use the snatpool command.
  • Options
    mcyorkmcyork Member ✭✭
    edited February 2014
    Then I don't see an answer to my problem yet. Seems like I must SNAT all traffic or none. My goal is to SNAT conditionally as source IP addresses from the clients are important.
  • Options
    guy@a10guy@a10 Member
    edited February 2014
    You can do this with ACL based SNAT. You don't configure a source nat pool to the VPORT but only apply an ACL based SNAT policy. All traffic will get load balanced without SNAT. Only the the network(s) you configure in the ACL will be SNAT'd.

    access-list 10 permit 10.1.1.0 0.0.0.255

    ip nat pool SNAT-pool1 10.1.1.222 10.1.1.222 netmask /24



    slb virtual-server VIP-web 10.20.20.200
    port 80 tcp
    access-list 10 source-nat-pool SNAT-pool1
  • Options
    [Deleted User][Deleted User]
    edited February 2014
    I think you have two options. Create a conditional SNAT in the virtual server like below.

    access-list 100 permit ip 10.10.10.0 0.0.0.255 any slb virtual-server testhttp 10.10.10.141 port 80 http name _10.10.10.141_HTTP_80 access-list 100 source-nat-pool SNAT10

    or you can create a static nat for your servers, and enable snat-on-vip option under the virtual server. This will cause the AX to process the NAT before load balancing. This is commonly used to allow servers to hit a VIP that is also pointing to the server network.
Sign In or Register to comment.