You can configure the BIG-IP® system to translation IP addresses in packets that pass through the system. You can configure objects for both network address translation (NATs) and source network address translation (SNATs).
A SNAT is similar to a NAT, except for the differences listed in this table.
|You can map only one original address to a translation address.||You can map multiple original addresses to a single translation address. You can even map all node addresses on your network to a single public IP address, in a single SNAT object.|
|All ports on the internal node are open.||By default, SNATs support UDP and TCP only. This makes a SNAT more secure than a NAT.|
|Local Traffic Manager™ does not track NAT connections.||Local Traffic Manager tracks SNAT connections, which, in turn, allows SNATs and virtual servers to use the same public IP addresses.|
|You must explicitly enable a NAT on the internal VLAN where the internal node’s traffic arrives on the BIG-IP® system.||By default, a SNAT that you create is enabled on all VLANs.|
In some cases, you might want to allow a client on an external network to send a request directly to a specific internal node (thus bypassing the normal load balancing server selection). To send a request directly to an internal server, a client normally needs to know the internal node’s IP address, which is typically a private class IP address. Because private class IP addresses are non-routable, you can instead create a network translation address (NAT). A NAT is a feature of BIG-IP® Local Traffic Manager™that provides a routable IP address that an external node can use to send traffic to, or receive traffic from, an internal node.
More specifically, a NAT is an address translation object that instructs Local Traffic Manager (LTM®) to translate one IP address in a packet header to another IP address. A NAT consists of a one-to-one mapping of a public IP address to an internal private class IP address.
You can use a NAT in two different ways:
To summarize, a NAT provides a routable address for sending packets to or from a node that has a private class IP address.
When you create a NAT, you can map only one private class IP address to a specific public IP address. That is, a NAT always represents a one-to-one mapping between a private class IP address and a public IP address. If you want to map more than one private class IP address (that is, multiple internal nodes) to a single public IP address, you can create a SNAT instead.
Local Traffic Manager can apply a NAT to either an inbound or an outbound connection.
With respect to NATs, an inbound connection is a connection that is initiated by a node on an external network, and comes into the BIG-IP® system to a node on the internal network.
Normally, traffic coming into the BIG-IP system is load balanced to a server in a pool, based on the load balancing method configured for that pool, in the following way:
This typical load balancing scenario ensures that for load balanced traffic, the client system never sees the internal private class IP address of an internal node.
If the client system wants to bypass the load balancing mechanism to send packets directly to a specific node on the internal network, the client needs a routable IP address to use to send packets to that server node.
A NAT solves this problem by providing a routable address that a client can use to make a request to an internal server directly. In this way, a NAT performs the same type of address translation that a virtual server performs when load balancing connections to pool members. In the case of a NAT, however, no load balancing occurs, because the client is sending a request to a specific node. The NAT translates the public destination IP address in the request to the private class IP address of the internal node.
When the server node sends the response, Local Traffic Manager performs the reverse translation, in the same way that a virtual server behaves.
For example, suppose a node on the internal network (such as a load balancing server) has a private class IP address of 172.16.20.3. You can create a NAT designed to translate a public destination address of your choice (such as 22.214.171.124) to the private class address 172.16.20.3. Consequently, whenever a node on the external network initiates a connection to the address 126.96.36.199, Local Traffic Manager translates that public destination address to the private class address 172.16.20.3.
Sample NAT for an inbound connection
In this example, the NAT provides a routable address for an external node to initiate a connection to an internal node.
When you create a NAT, you must define two settings: NAT Address and Origin Address. In our example:
The previous section summarized how a BIG-IP® system normally load balances incoming traffic, and translates the source IP address in a response back to the virtual address.
Sometimes, however, an internal node needs to initiate a connection, rather than simply respond to a request. When a node on an internal network initiates a connection, the connection is considered to be an outbound connection. In this case, because the outgoing packets do not represent a response to a load-balanced request, the packets do not pass through a virtual server, and therefore the system does not perform the usual source IP address translation.
Without a NAT, the source IP address is a non-routable address. With a NAT, however, Local Traffic Manager™ translates the internal node’s private class IP address to a public IP address, to which the external node can then route its response.
For example, suppose an internal node (such as a mail server) has a private class IP address of 172.16.20.1. You can create a NAT designed to translate the private class address 172.16.20.1 to a public source address of your choice (such as 188.8.131.52). Consequently, whenever the internal node 172.16.20.1 initiates a connection destined for a node on the external network, the system translates that source address of 172.16.20.1 to its public address (184.108.40.206).
Sample NAT for an outbound connection
In this example, the NAT provides a way for an internal node to initiate a connection to a node on an external network, without showing a private class IP address as the source address.
A NAT has two settings; NAT Address and Origin Address. In this example:
A NAT always represents a one-to-one mapping between a public address and a private class address. However, if you would like to map multiple internal nodes to a single public address, you can use a secure network translation address (SNAT) instead of a NAT. You can use SNATs for outbound connections only.
You enable network address translation (NAT) so that the BIG-IP® system can translate one IP address to another.
When you need to ensure that server responses always return through the BIG-IP® system, or when you want to hide the source addresses of server-initiated requests from external devices, you can implement a SNAT.
A secure network address translation (SNAT) is a BIG-IP Local Traffic Manager™ feature that translates the source IP address within a connection to a BIG-IP system IP address that you define. The destination node then uses that new source address as its destination address when responding to the request.
For inbound connections, that is, connections initiated by a client node, SNATs ensure that server nodes always send responses back through the BIG-IP system, when the server’s default route would not normally do so. Because a SNAT causes the server to send the response back through the BIG-IP system, the client sees that the response came from the address to which the client sent the request, and consequently accepts the response.
For outbound connections, that is, connections initiated by a server node, SNATs ensure that the internal IP address of the server node remains hidden to an external host when the server initiates a connection to that host.
In the most common client-server network configuration, the Local Traffic Manager™ standard address translation mechanism ensures that server responses return to the client through the BIG-IP® system, thereby reversing the original destination IP address translation. This typical network configuration is as follows:
However, there are atypical network configurations in which the standard BIG-IP system address translation sequence by itself does not ensure that server responses use the required return path. Examples of these atypical configurations are:
This image shows a typical problem for client-initiated connections when Local Traffic Manager is not defined as the server’s default gateway, and you have not configured a SNAT for inbound traffic.
Client rejects response due to non-matching destination and source IP addresses
To prevent these problems, you can configure an inbound SNAT. An inbound SNAT translates the original client source IP address in a request to a BIG-IP system virtual server or BIG-IP system self IP address, forcing subsequent server response to return directly to Local Traffic Manager. When an inbound SNAT is configured on the system, Local Traffic Manager translates not only the destination IP address in the request (using the standard address translation mechanism), but also the source IP address in the request (using a SNAT).
The figure below shows that by configuring a SNAT, you ensure that the response returns through the BIG-IP system instead of through the default gateway, thus ensuring that the client can accept the server response.
Client accepts response due to matching destination and source IP addresses
When an internal server initiates a connection to an external host, a SNAT can translate the private, source IP addresses of one or more servers within the outgoing connection to a single, publicly-routable address. The external destination host can then use this public address as a destination address when sending the response. In this way, the private class IP addresses of the internal nodes remain hidden from the external host.
More specifically, a SNAT for an outgoing connection works in the following way:
In this example of an outgoing SNAT, Local Traffic Manager causes three internal nodes, with the IP addresses 172.16.20.4, 172.16.20.5, and 172.16.20.6, to advertise the public IP address 220.127.116.11 as the source IP address in the three outgoing connections.
Sample SNAT for multiple outgoing connections
The types of SNATs you can create are:
You can specify the translation addresses that you want to map to your original IP addresses. A translation address can be in these three forms:
You can specify the original IP addresses that you want to map to translation addresses. You can specify one IP address or multiple IP addresses.
You can specify one or more VLANs to which you want the SNAT to apply.
When you use a secure network address translation (SNAT) for client-initiated (inbound) connections, the availability of ephemeral ports can become diminished and possibly exhausted, resulting in an inability of the SNAT to process additional connections until source ports again become available. You can configure the BIG-IP® system to accumulate real-time ephemeral-port statistics, and when usage exceeds a specified threshold level, to log an error and provide a Simple Network Management Protocol (SNMP) alert notification, thus enabling you to assess an approaching exhaustion of ephemeral ports and respond accordingly.
When configuring ephemeral port exhaustion functionality, you can enable the port exhaustion threshold, specify a threshold trigger level, and specify a timeout duration in seconds. The following commands apply default values.
# tmsh modify ltm global-settings traffic-control port-find-threshold-warning enabled # tmsh modify ltm global-settings traffic-control port-find-threshold-trigger 8 # tmsh modify ltm global-settings traffic-control port-find-threshold-timeout 30
You can view a summary of the traffic control settings by typing the following command at the command line: tmsh list ltm global-settings traffic-control all-properties.
Note that you need to configure logging functionality, for example, high-speed remote logging, to log any ephemeral port exhaustion error messages. Additionally, you will want to manage any alert notifications by using SNMP.
This topic summarizes the settings available for notification of ephemeral port exhaustion.
|Traffic-Control Parameter||Default Value||Description|
|port-find-threshold-warning||enabled||Enables or disables ephemeral port-exhaustion threshold warning functionality.|
|port-find-threshold-trigger||8||Specifies the number of attempts to find an unused outbound port for a connection, beyond which the probability of port exhaustion signficantly increases. Values can range from 1 through 12.|
|port-find-threshold-timeout||30||Specifies the period, in seconds, from one threshold trigger until a subsequent threshold trigger. If the value for this period is exceeded, the threshold warning expires and resets. Values can range from 0 through 300 seconds.|