F5 automap feature

Product Discussions aFleX
, ,
1

Hi, I have one F5 with irule contain “automap snat”, this functionality allows changing the IP when the destination is local to one of the F5 in order to prevent asymmetric routing. The automap options tells to BIG-IP to decide what source ip to use to reach the destination network.
I rule like this
when CLIENT_ACCEPTED {
 set clientIP [getfield [IP::client_addr] “%” 1]
if {([IP::addr $clientIP equals 192.168.1.0/24])}{
  snat automap
  return
 }
In aFlex i have operator “snat”, i ´can do snat to IP Address to vrrp address configured o physical address in interface?

A10 has something similar to automap feature?
Thanks in advance

2

You can configure it like this as below.

when CLIENT_ACCEPTED {
 set clientIP [getfield [IP::client_addr] “%” 1]
 if {([IP::addr $clientIP equals 192.168.1.0/24])} {
 snat 1.1.1.1
 return
 }
}

snat
 - Assigns the specified NAT address () to the server-side connection.

snatpool <snatpool_name>
 - Causes the pool of addresses identified by <snatpool_name> to be used as translation addresses to create a SNAT.

3

Hi jpark, thanks for response
But my question is “i can use the ip address that i have configure in vrrp floating address”?
And, i can use any ip in operator “snat”
For example,

In global config
vrrp-a vrid 1
floating-ip 1.1.1.1

And the aflex rule

when CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr] equals 192.168.10.0/24] } {
    snat 1.1.1.1
  }  
}

I need configure nat pool for 1.1.1.1?
vrrp floating ip can be used for snat in aflex script?
This config would be similar to f5 automap snat, and solve existing asymetric routing problems.
Thanks in advance

4

Hi Arturo,
you can use vrrp floating ip for snat.

here are a couple of options to do the same using cli instead of aflex

ConfigurationConfiguration: Test 1. [Access-list 100 source-nat-pool NAT-P1 on VIP]
access-list 100 permit ip any any                                                  
interface ethernet 5
 ip address 5.5.5.1 255.255.255.0
 interface ethernet 6
 ip address 3.3.3.1 255.255.255.0
ip nat pool NAT-P1 3.3.3.9 3.3.3.9 netmask /32
slb server S1 3.3.3.11
 Port 80 tcp
slb server S2 3.3.3.12
 port 80 tcp
slb service-group SG1 tcp
 member S1 80
 member S2 80
slb virtual-server VS3 5.5.5.100
 port 80 tcp
   name _5.5.5.100_tcp_80
   access-list 100 source-nat-pool NAT-P1
   service-group SG1

Configuration: Test 2 [snat-on-vip on VIP]
access-list 100 permit ip any any
interface ethernet 5
 ip address 5.5.5.1 255.255.255.0
 ip nat inside
interface ethernet 6
 ip address 3.3.3.1 255.255.255.0
 ip nat outside
ip nat pool NAT-P1 3.3.3.9 3.3.3.9 netmask /32
ip nat inside source list 100 pool NAT-P1
slb common
 snat-on-vip
slb server S1 3.3.3.11
 port 80 tcp
slb server S2 3.3.3.12
 port 80 tcp
slb service-group SG1 tcp
 member S1 80
 member S2 80
slb virtual-server VS3 5.5.5.100
 port 80 tcp
   name _5.5.5.100_tcp_80
   service-group SG1

5

Thanks dquin
Work fine with snat to vrrp-ip in aflex script

Kind regards!