The carrier-grade network address translation (CGNAT) module on the BIG-IP® system supports large groups of translation addresses using large-scale NAT (LSN) pools and grouping of address-translation-related options in an ALG profile, which can be assigned to multiple virtual servers. It also has the ability to match virtual servers based on client address to destination addresses and ports. Other characteristics of the CGNAT module are listed here.
The CGNAT module can assign the same external (translation) address to all connections originated by the same internal client. For example, providing endpoint-independent address mapping.
CGNAT can accept inbound external connections to active translation address/port combinations to facilitate endpoint-independent filtering as described in section 5 of RFC 4787. This is also known as a full-cone NAT.
CGNAT supports log messages that map external addresses and ports back to internal clients for both troubleshooting and compliance with law enforcement/legal constraints.
Network address and port translation (NAPT) mode provides standard address and port translation allowing multiple clients in a private network to access remote networks using the single IP address assigned to their router.
Deterministic mode is an option used to assign translation address, and is port-based on the client address/port and destination address/port. It uses reversible mapping to reduce logging, while maintaining the ability for translated IP address to be discovered for troubleshooting and compliance with regulations. Deterministic mode also provides an option to configure backup-members.
Designed for service providers, the CGNAT module is offered as a stand-alone license or as an add-on license for Local Traffic Manager™ (LTM®) and Policy Enforcement Manager™ (PEM).
Application Layer Gateway (ALG) profiles provide the CGNAT with protocol and service functionality that modifies the necessary application protocol header and payload, thus allowing these protocols to seamlessly traverse the NAT. FTP, RTSP, SIP, and PPTP profiles are supported with ALG profiles, and added to the CGNAT configuration as needed.
The BIG-IP® system enables you to manage RFC-defined behavior for translation address persistence and inbound connections.
When you configure an LSN pool, the CGNAT Persistence Mode setting assigns translation endpoints in accordance with the selected configuration mode: NAPT or Deterministic NAT (DNAT). It is important to note that this CGNAT translation address persistence is different from the persistence used in the BIG-IP Local Traffic Manager™ (LTM®) load balancing. CGNAT translation address persistence uses a selected translation address, or endpoint, across multiple connections from the same subscriber address, or endpoint.
The BIG-IP system provides three Persistence Mode settings (None, Address, and Address Port) for each configuration mode.
|None||Translation addresses are not preserved for the subscriber. Each outbound connection might receive a different translation address. This setting provides the lowest overhead and highest performance.|
|Address||CGNAT preserves the translation address for the subscriber. When a connection is
established, CGNAT determines if this subscriber already has a translation address. If the
subscriber already has a translation address, then CGNAT uses the translation address stored
in the persistence record, and locates a port for that connection. If no port is available,
then CGNAT selects a different address. This setting provides greater overhead on each
connection and less performance.
Note: DNAT reserves both addresses and ports for a subscriber; however, persistence might still be of value when a subscriber's deterministic mappings span two translation addresses. In this instance, persistence prefers the same address each time.
|Address Port||CGNAT preserves the translation address and port of the subscriber's connection, so that the endpoint can be reused on subsequent connections. This setting provides Endpoint Independent Mapping (EIM) behavior. Additionally, like the Address setting for Persistence Mode, this setting provides greater overhead on each connection and less performance.|
The Inbound Connections setting determines whether the Large Scale NAT (LSN) allows connections to be established inbound to the LSN subscriber or client. This setting provides greater overhead, including a lookup on inbound entries for each connection to prevent endpoint overloading, and a reduction in the use of the translation space.
When you disable inbound connections, the BIG-IP system provides greater efficiency in address space utilization by allowing endpoint overloading, where two different subscribers can use the same translation address and port, as long as each subscriber connects to a different host.
When you enable inbound connections, the BIG-IP system restricts the use of a translation address and port to a single subscriber, and ensures that only one subscriber address and port uses a translation endpoint.