The negation operator
Another way to exclude a subset of traffic from being translated is by using the negation operator (exclamation mark [!]). The following example shows how to provide the same functionality as in the previous example but use the negation operator instead of the exclude option.
Step | Command |
---|---|
Create SNAT rule 10. |
|
Apply this rule to packets coming from any host on the 192.168.0.0/24 network, not going to the 192.168.50.0/24 network, and egressing through the dp0p1p1 interface. |
|
Use the primary IP address of the outbound interface as the translation address. |
|
Commit the change. |
|
Show the configuration. |
|
Note that you should take extreme care using when combining more than one negation operator rule. NAT rules are evaluated sequentially, and a sequence of rules that use the negation operator may result in unexpected behavior.
Consider the set of two NAT rules shown in the following example.
Multiple source NAT rules that use the negation operator: unexpected behavior
rule 10 {
destination {
address !192.168.50.0/24
}
outbound-interface dp0p1p1
source {
address 192.168.0.0/24
}
translation {
address masquerade
}
}
rule 20 {
destination {
address !172.16.50.0/24
}
outbound-interface dp0p1p1
source {
address 192.168.0.0/24
}
translation {
address masquerade
}
}
This combination of rules does not exclude the 192.168.50.0/24 and 172.16.50.0/24 networks. As previously explained, these NAT rules are evaluated sequentially; when a packet arrives, it is tested against the first rule and if it does not match, it is tested against the second rule, and so on until it matches a rule.
In the example, a packet with a destination in 192.168.50.0/24 does not meet the match criteria in rule 10, which matches all packets with a destination not in 192.168.50.0/24. As a result, the packet “falls through” to rule 20. A packet with a destination in 192.168.50.0/24 does match rule 20 because it is not in 172.16.50.0/24; therefore, the packet has NAT applied, which is not the desired result.
Similarly, a packet with a destination in 172.16.50.0/24 is matched and has NAT applied by rule 10.