For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

nitass_89166's avatar
nitass_89166
Icon for Noctilucent rankNoctilucent
May 02, 2015

For testing, i created a SNAT object, added the two private nodes in the inside address list and, and gave their vserver as the outside address. "tmsh show /sys connection" showed all traffic sourced from the nodes being SNAT'd to their vserver address. We do want traffic to get SNAT'd but only for destinations off-campus. Is there any way to do that by creating a SNAT object.

can you try something like this? only virtual server is used (no snat list) but upstream device needs to have route or arp for 190.191.192.193 (to bigip).

root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal node_address
ltm data-group internal node_address {
    records {
        10.10.10.1/32 { }
        10.10.10.2/32 { }
    }
    type ip
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal campus_address
ltm data-group internal campus_address {
    records {
        65.66.67.68/32 { }
    }
    type ip
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED {
  if { [class match -- [IP::client_addr] equals node_address] } {
    if { [class match -- [IP::server_addr] equals campus_address] } {
      snat none
    } else {
      snat 190.191.192.193
    }
  }
}
}

Would really appreciate any suggestions/pointers to my second question.

it may be easier if you can provide some example.

aj1's avatar
aj1
Icon for Nimbostratus rankNimbostratus
May 02, 2015
Thank you nitass. Will this rule be applied to the wildcard forwarding vserver?