Forum Discussion

freman_200486's avatar
freman_200486
Icon for Nimbostratus rankNimbostratus
Jan 12, 2016

iRule matching destination address using VPN

Hello,

I have a F5 running LTP/APM and I'm using the EDGE-client for SSL-VPN. As it is now I'm using a full tunnel since I have both outside and inside of the F5 connected to a firewall.

Right now i SNAT and everything works fine but I would like to SNAT traffic to the outside (internet) and use NO SNAT to the inside networks. (all private networks)

I have found examples where I sort traffic based on the source (client) but I want to check if the resource the vpn-connection is trying to reach is a private address and if so use NO SNAT and if the resource is a public address then use SNAT.

In my example I have IP::client_addr which returns the address my client is coming from. But I want to see the address I'm going to, through the vpn-tunnel.

I get address 192.168.100.200 on my tunnel-interface on my client. When I try to reach for example www.sunet.se (192.36.171.231) I want to get that IP and match it against the private networks and if it's a match - no nat and otherwise nat.

Am I being confusing? 🙂

Iv'e been broswing around the iRule reference but can't find anything that suite my needs. I can get my public IP outside the tunnel, i can get the ip of the VS im connected to, I can get the IP my tunnel-interface has but I can't get the destination Ip. Is it possible?

Best regards,

// Fredrik

 

when CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] or
  [IP::addr [IP::client_addr] equals 192.168.0.0/16] or
   [IP::addr [IP::client_addr] equals 172.16.0.0/12] } {
   snat none 
  }
   else {
  snat automap}
}

 

  • Hi Fremann,

    you have to change [IP::client_addr] (src_addr) to [IP::local_addr] (dst_addr).

    Note: To see the available IP addreses, you could implement some debug code to write every [IP::x_addr] command into your logfiles.

     

    when CLIENT_ACCEPTED {
        if { [catch {
            log -noname local0.debug "Client_Addr: [IP::client_addr]"
        }]} then {
            log -noname local0.debug "Client_Addr: Not available"
        }
        if { [catch {
            log -noname local0.debug "Server_Addr: [IP::server_addr]"
        }]} then {
            log -noname local0.debug "Server_Addr: Not available"
        }
        if { [catch {
            log -noname local0.debug "Local_Addr: [IP::local_addr] "
        }]} then {
            log -noname local0.debug "Local_Addr: Not available"
        }
        if { [catch {
            log -noname local0.debug "Remote_Addr: [IP::remote_addr]"
        }]} then {
            log -noname local0.debug "Remote_Addr: Not available"
        }
    }
    

     

    Cheers, Kai

  • Hello Kai,

    I have used log local0. to see what the following are returning: [IP::remote_addr], [IP::client_addr], [IP::local_addr]

    In my case I get the following:

     

    [IP::remote_addr] = 193.108.5.* (public address of the client having the edge-client installed)
    [IP::client_addr] = 193.108.5.* (same address as above)
    [IP::local_addr] = 192.165.58.* (address of the VS the edge-client is connecting to)
    

     

    What I can't see is the IP of the site I'm browsing to through the tunnel. If I open a browser and go to www.sunet.se I still get the same IP's returned from [IP::remote_addr], [IP::client_addr], [IP::local_addr].

    I'd like to see the address of the site I'm connecting to 192.36.171.231 so I can use that as a matching condition in my iRule.

    Any other tips on how to get this information in an iRule?

    Regards

    // Fredrik

  • Hi Freman,

    it seems that the iRule is not triggered for the traffic passing through the tunnel.

    I've asked Google and got the response back, that you have to assign the iRule as a "related-rule" to enable it for the Network Access tunnel-listener...

    tmsh modify ltm virtual YOUR_VS_NAME related-rules { YOUR_RULE_NAME }

    Cheers, Kai

  • Hello again,

     

    I tried your suggestion above but I get no hits on the iRule when I look at my logging.

     

    Might try to do a partition and a route-domain and connect that to my firewall. Then the F5 can still be the termination point for my vpn and I do NO NAT and then let the firewall do the natting externally instead.

     

    It would be nice though to be able to sove this in the F5 anyway. :)

     

    Thank you for your help so far :)

     

    Regards

     

    // Fredrikk

     

    • Kai_Wilke's avatar
      Kai_Wilke
      Icon for MVP rankMVP
      Hi Freman, The available information on the rather new "related-rules" command and the valid usecases are almost non-existent. So you may ask the F5 support for further assitence and keep us then updated... :-) Cheers, Kai
  • I will pass the question on and as soon as I know more I will post i here :)

     

    Cheers, Fredrik

     

    • Piotr_Bratkows3's avatar
      Piotr_Bratkows3
      Icon for Nimbostratus rankNimbostratus

      Hello,

       

      Any findings in that matter? I've tried to setup this in my lab, but it's not working at all:/

       

      Regards, Piotr

       

  • This is exactly what we are needing at the moment. Did you get this resolved freman ?

     

  • Hi Daniel,

    I guess the problem of this topic is related to an already fixed APM issue, which had cause APM to ignore the "related-rules" settings of the connected virtual server.

    https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-11-6-1.htmlA519415-3

    So you may try the [catch] [log] iRule below and then bind this iRule using the command below...

    tmsh modify ltm virtual YOUR_VS_NAME related-rules { YOUR_RULE_NAME }

    Cheers, Kai