Applies To:

Show Versions Show Versions

Manual Chapter: NATs
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

15 
In some cases, you might want to allow a client on an external network to send a request directly to a specific internal node (thus bypassing the normal load balancing server selection). To send a request directly to an internal server, a client normally needs to know the internal nodes IP address, which is typically a private class IP address. Because private class IP addresses are non-routable, you can instead create a network translation address (NAT). A NAT is a feature of BIG-IP® Local Traffic ManagerTM that provides a routable IP address that an external node can use to send traffic to, or receive traffic from, an internal node.
More specifically, a NAT is an address translation object that instructs Local Traffic Manager to translate one IP address in a packet header to another IP address. A NAT consists of a one-to-one mapping of a public IP address to an internal private class IP address.
To translate a private class destination address to a public address
When an external node sends traffic to the public IP address defined in a NAT, Local Traffic Manager automatically translates that destination address to the associated private class IP address, which represents a specific node on the internal network. This translation is hidden from the external node that sent the traffic.
To translate a private class source address to a public address
You can also use a NAT to translate an internal nodes private class source IP address to a public IP address. This translation is hidden from the external node that receives the traffic.
When you create a NAT, you can map only one private class IP address to a specific public IP address. That is, a NAT always represents a one-to-one mapping between a private class IP address and a public IP address. If you want to map more than one private class IP address (that is, multiple internal nodes) to a single public IP address, you can create a SNAT instead.
To configure and manage NATs, log in to the BIG-IP Configuration utility, and on the Main tab, expand Local Traffic, and click SNATs.
Note: NATs do not support port translation, and are not appropriate for protocols that embed IP addresses in the packet, such as FTP, NT Domain, or CORBA IIOP.
Tip: When you use a NAT to provide access to an internal node, all ports on that internal node are open. To mitigate this security risk, consider using a SNAT instead.
Table 15.1 shows the settings that you can configure for a NAT, with a description of each.
An external, routable IP address on the BIG-IP system that you want external nodes to send connections to (for inbound connections) or receive connections from (for outbound connections).
Inherit traffic group from current partition / path
A setting that instructs the BIG-IP system to respond to ARP requests from the specified NAT address, and send gratuitous ARP requests for router table updates.
The specific VLAN corresponding to the NAT address or origin address. VLANs to which the NAT is not to be mapped can be explicitly disabled, as when there is more than one internal VLAN.
Returns packets to the MAC address from which they were sent. This enables you to configure auto last hop on a per-NAT basis. Options are: Default, Enabled, and Disabled. The default is Default, meaning that the system uses the global auto-lasthop setting to send back the request.
With respect to NATs, an inbound connection is a connection that is initiated by a node on an external network, and comes into the BIG-IP system to a node on the internal network.
Normally, traffic coming into the BIG-IP system is load balanced to a server in a pool, based on the load balancing method configured for that pool, in the following way:
A client on an external network typically sends traffic to a virtual server on the BIG-IP system. The destination IP address in this case is the virtual server address.
Upon receiving a packet, the virtual server typically translates that destination IP address to the IP address of a pool member, for the purpose of load balancing that packet.
The pool member then sends its response back through the BIG-IP system, using a route specified in the server nodes routing table (ideally, a floating IP address assigned to an internal VLAN). On receiving the response, Local Traffic Manager then performs the reverse translation; that is, the system translates the pool members actual source address to the virtual server address. This results in the source address in the response to the client being the virtual server address, which is the source address that the client expects to see.
This typical load balancing scenario ensures that for load balanced traffic, the client system never sees the internal private class IP address of an internal node.
If the client system wants to bypass the load balancing mechanism to send packets directly to a specific node on the internal network, the client needs a routable IP address to use to send packets to that server node.
A NAT solves this problem by providing a routable address that a client can use to make a request to an internal server directly. In this way, a NAT performs the same type of address translation that a virtual server performs when load balancing connections to pool members. In the case of a NAT, however, no load balancing occurs, because the client is sending a request to a specific node. The NAT translates the public destination IP address in the request to the private class IP address of the internal node.
When the server node sends the response, Local Traffic Manager performs the reverse translation, in the same way that a virtual server behaves. (For more information on this reverse translation, see Without a NAT.)
Note: Local Traffic Manager does not track NAT connections. Therefore, the public IP address that you define in a NAT cannot be the same address as a virtual address or SNAT address.
Suppose a node on the internal network (such as a load balancing server) has a private class IP address of 172.16.20.3. You can create a NAT designed to translate a public destination address of your choice (such as 207.10.1.103) to the private class address 172.16.20.3. Consequently, whenever a node on the external network initiates a connection to the address 207.10.1.103, Local Traffic Manager translates that public destination address to the private class address 172.16.20.3.
Figure 15.1 illustrates the address translation that occurs for an inbound connection.
When you create a NAT, you must define two settings: NAT Address and Origin Address. In our example:
The NAT address is 207.10.1.103, and the origin address is 172.16.20.3.
The connection is an inbound connection, meaning that the connection is being initiated from the external network, through the BIG-IP system, to the internal network.
The previous section summarized how a BIG-IP system normally load balances incoming traffic, and translates the source IP address in a response back to the virtual address.
Sometimes, however, an internal node needs to initiate a connection, rather than simply respond to a request. When a node on an internal network initiates a connection, the connection is considered to be an outbound connection. In this case, because the outgoing packets do not represent a response to a load-balanced request, the packets do not pass through a virtual server, and therefore the system does not perform the usual source IP address translation.
Without a NAT, the source IP address is a non-routable address. With a NAT, however, Local Traffic Manager translates the internal nodes private class IP address to a public IP address, to which the external node can then route its response.
Suppose an internal node (such as a mail server) has a private class IP address of 172.16.20.1. You can create a NAT designed to translate the private class address 172.16.20.1 to a public source address of your choice (such as 207.10.1.101). Consequently, whenever the internal node 172.16.20.1 initiates a connection destined for a node on the external network, the system translates that source address of 172.16.20.1 to its public address (207.10.1.101).
Figure 15.2, illustrates the address translation that occurs for an outbound connection.
In this example, the NAT provides a way for an internal node to initiate a connection to a node on an external network, without showing a private class IP address as the source address.
As previously mentioned, a NAT has two settings; NAT Address and Origin Address. In this example:
The NAT address is 207.10.1.101, and the origin address is 172.16.20.1.
The connection is an outbound connection, meaning that the connection is being initiated from the internal network, through Local Traffic Manager, to the external network.
A NAT always represents a one-to-one mapping between a public address and a private class address. However, if you would like to map multiple internal nodes to a single public address, you can use a secure network translation address (SNAT) instead of a NAT. You can use SNATs for outbound connections only.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)