iRule matching destination address using VPN
Hello,
I have a F5 running LTP/APM and I'm using the EDGE-client for SSL-VPN. As it is now I'm using a full tunnel since I have both outside and inside of the F5 connected to a firewall.
Right now i SNAT and everything works fine but I would like to SNAT traffic to the outside (internet) and use NO SNAT to the inside networks. (all private networks)
I have found examples where I sort traffic based on the source (client) but I want to check if the resource the vpn-connection is trying to reach is a private address and if so use NO SNAT and if the resource is a public address then use SNAT.
In my example I have IP::client_addr which returns the address my client is coming from. But I want to see the address I'm going to, through the vpn-tunnel.
I get address 192.168.100.200 on my tunnel-interface on my client. When I try to reach for example www.sunet.se (192.36.171.231) I want to get that IP and match it against the private networks and if it's a match - no nat and otherwise nat.
Am I being confusing? 🙂
Iv'e been broswing around the iRule reference but can't find anything that suite my needs. I can get my public IP outside the tunnel, i can get the ip of the VS im connected to, I can get the IP my tunnel-interface has but I can't get the destination Ip. Is it possible?
Best regards,
// Fredrik
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] or
[IP::addr [IP::client_addr] equals 192.168.0.0/16] or
[IP::addr [IP::client_addr] equals 172.16.0.0/12] } {
snat none
}
else {
snat automap}
}