F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP CGNAT: Implementations
  5. Deploying a Carrier Grade NAT
Manual Chapter : Deploying a Carrier Grade NAT

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter
Table of Contents | Next Chapter >>

Deploying a Carrier Grade NAT

About the carrier-grade NAT (CGNAT) module

The carrier-grade network address translation (CGNAT) module on the BIG-IP® system supports large groups of translation addresses using large-scale NAT (LSN) pools and grouping of address-translation-related options in an ALG profile, which can be assigned to multiple virtual servers. It also has the ability to match virtual servers based on client address to destination addresses and ports. Other characteristics of the CGNAT module are listed here.

Translation address persistence

The CGNAT module can assign the same external (translation) address to all connections originated by the same internal client. For example, providing endpoint-independent address mapping.

Automatic external inbound connection handling

CGNAT can accept inbound external connections to active translation address/port combinations to facilitate endpoint-independent filtering as described in section 5 of RFC 4787. This is also known as a full-cone NAT.

More efficient logging

CGNAT supports log messages that map external addresses and ports back to internal clients for both troubleshooting and compliance with law enforcement/legal constraints.

Network address and port translation

Network address and port translation (NAPT) mode provides standard address and port translation allowing multiple clients in a private network to access remote networks using the single IP address assigned to their router.

Deterministic assignment of translation addresses

Deterministic mode is an option used to assign translation address, and is port-based on the client address/port and destination address/port. It uses reversible mapping to reduce logging, while maintaining the ability for translated IP address to be discovered for troubleshooting and compliance with regulations. Deterministic mode also provides an option to configure backup-members.

Licensing

Designed for service providers, the CGNAT module is offered as a stand-alone license or as an add-on license for Local Traffic Manager™ (LTM®) and Policy Enforcement Manager™ (PEM).

About ALG Profiles

Application Layer Gateway (ALG) profiles provide the CGNAT with protocol and service functionality that modifies the necessary application protocol header and payload, thus allowing these protocols to seamlessly traverse the NAT. FTP, RTSP, SIP, and PPTP profiles are supported with ALG profiles, and added to the CGNAT configuration as needed.

Important: ALG traffic cannot use a deterministically-mapped address. Use a separate NAPT pool for these translations.

About CGNAT translation address persistence and inbound connections

The BIG-IP® system enables you to manage RFC-defined behavior for translation address persistence and inbound connections.

Translation Address Persistence

When you configure an LSN pool, the CGNAT Persistence Mode setting assigns translation endpoints in accordance with the selected configuration mode: NAPT or Deterministic NAT (DNAT). It is important to note that this CGNAT translation address persistence is different from the persistence used in the BIG-IP Local Traffic Manager™ (LTM®) load balancing. CGNAT translation address persistence uses a selected translation address, or endpoint, across multiple connections from the same subscriber address, or endpoint.

The BIG-IP system provides three Persistence Mode settings (None, Address, and Address Port) for each configuration mode.

Persistence Mode Description
None Translation addresses are not preserved for the subscriber. Each outbound connection might receive a different translation address. This setting provides the lowest overhead and highest performance.
Address CGNAT preserves the translation address for the subscriber. When a connection is established, CGNAT determines if this subscriber already has a translation address. If the subscriber already has a translation address, then CGNAT uses the translation address stored in the persistence record, and locates a port for that connection. If no port is available, then CGNAT selects a different address. This setting provides greater overhead on each connection and less performance.
Note: DNAT reserves both addresses and ports for a subscriber; however, persistence might still be of value when a subscriber's deterministic mappings span two translation addresses. In this instance, persistence prefers the same address each time.
Address Port CGNAT preserves the translation address and port of the subscriber's connection, so that the endpoint can be reused on subsequent connections. This setting provides Endpoint Independent Mapping (EIM) behavior. Additionally, like the Address setting for Persistence Mode, this setting provides greater overhead on each connection and less performance.

Inbound Connections

The Inbound Connections setting determines whether the Large Scale NAT (LSN) allows connections to be established inbound to the LSN subscriber or client. This setting provides greater overhead, including a lookup on inbound entries for each connection to prevent endpoint overloading, and a reduction in the use of the translation space.

When you disable inbound connections, the BIG-IP system provides greater efficiency in address space utilization by allowing endpoint overloading, where two different subscribers can use the same translation address and port, as long as each subscriber connects to a different host.

When you enable inbound connections, the BIG-IP system restricts the use of a translation address and port to a single subscriber, and ensures that only one subscriber address and port uses a translation endpoint.

Note: Because DNAT reserves addresses and ports for a subscriber, no endpoint overloading between subscribers occurs, but a single subscriber's traffic can leverage overloading. Inbound connections restrict this behavior. For DNAT, increased restriction from inbound connections might occur when fewer ports per subscriber are available. With inbound connections enabled, the ratio of subscriber ports to translation endpoints for a subscriber is 1:1.

Task summary

Creating an LSN pool

The CGNAT module must be enabled through the System > Resource Provisioning screen before you can create LSN pools.
Large Scale NAT (LSN) pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools .
    The LSN Pool List screen opens.
  2. Click Create.
  3. In the Name field, type a unique name.
  4. In the Configuration area, for the Member List setting, type an address and a prefix length in the Address/Prefix Length field, and click Add.
    If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix 10.10.10.0/24 overlaps 10.10.10.0/23.
  5. Click Finished.
Your LSN pool is now ready, and you can continue to configure your CGNAT.

Configuring a SIP ALG profile

You must have a SIP registrar and proxy configured prior to using a SIP ALG profile.
The SIP ALG profile provides the CGNAT module with enough protocol and service knowledge to make specified packet modifications to the IP and TCP/UDP headers, as well as the SIP payload during translation.
Important: Edit only copies of the included ALG profiles to avoid unwanted propagation of settings to other profiles that use the included profiles as parents.
  1. On the Main tab, click Carrier Grade NAT > ALG Profiles > SIP .
    The SIP screen opens and displays a list of available SIP ALG profiles.
  2. Click Create.
    The New SIP Profile screen opens.
  3. Type a name for the new profile.
  4. From the Parent Profile list, ensure that sip is selected as the new profile.
  5. Select the Custom check box on the right.
  6. For the Terminate on BYE setting, select the Enabled check box.
  7. Select the Dialog Aware check box.
  8. Type a unique community string in the Community field.
  9. From the Insert Via Header list, select Enabled.
  10. Click Finished to save the new SIP ALG profile.
  11. You must also create two virtual servers: one to handle SIP TCP traffic and another to handle SIP UDP traffic.
    1. Create a host virtual server with a Source address of 0.0.0.0/0 and a Destination type set as Network, as well as a Mask of 0.0.0.0 and a Service Port of 5060.
    2. From the Protocol list, select TCP.
    3. From the SIP Profile list, select a SIP profile.
    4. From the VLAN and Tunnel Traffic list, select All VLANs and Tunnels.
    5. From the LSN Pool list, select an LSN pool.
    6. Repeat the virtual server creation procedure, and then from the Protocol list, choose UDP. Also choose the SSL client, SSL server, and Authentication profiles from their respective lists as needed.
    You now have a TCP and UDP virtual server to handle SIP traffic.
You now have a SIP ALG profile for use by CGNAT.

Configuring a CGNAT iRule

You create iRules® to automate traffic forwarding for XML content-based routing. When a match occurs, an iRule event is triggered, and the iRule directs the individual request to an LSN pool, a node, or virtual server.
  1. On the Main tab, click Carrier Grade NAT > iRules .
    The iRule List screen opens.
  2. Click Create.
  3. In the Name field, type a 1 to 31 character name, such as cgn_https_redirect_iRule.
  4. In the Definition field, type the syntax for the iRule using Tool Command Language (Tcl) syntax.
    For complete and detailed information about iRules syntax, see the F5 Networks DevCentral web site (http://devcentral.f5.com).
  5. Click Finished.
You now have an iRule to use with a CGNAT virtual server.

Creating a virtual server for an LSN pool

Virtual servers are matched based on source (client) addresses. Define a virtual server that references the CGNAT profile and the LSN pool.
  1. On the Main tab, click Carrier Grade NAT > Virtual Servers .
    The Virtual Servers screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, select Performance (Layer 4).
  5. For the Destination setting, in the Address field, type 0.0.0.0 to allow all traffic to be translated.
  6. In the Service Port field, type * or select * All Ports from the list.
  7. From the VLAN and Tunnel Traffic list, select Enabled on. Then, for the VLANs and Tunnels setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the Available list to the Selected list.
  8. For the LSN Pool setting, select the pool that this server will draw on for translation addresses.
  9. In the Resources area of the screen, for the iRules setting, select the name of the iRule that you want to assign and using the Move button, move the name from the Available list to the Enabled list.
  10. Click Finished.
The custom CGNAT virtual server now appears in the CGNAT Virtual Servers list.

Creating a CGNAT tunnel

Many translations use tunneling to move TCP/UDP traffic where the payload is other IP traffic. You can create and configure a tunnel for use with an LSN pool.
  1. On the Main tab, click Carrier Grade NAT > Tunnels .
    The Tunnels screen opens.
  2. Click Create.
    The New Tunnel screen opens.
  3. In the Name field, type a unique name for the tunnel.
  4. In the Local Address field, type the IP address of the BIG-IP system.
  5. From the Remote Address list, retain the default selection, Any.
    This entry means that you do not have to specify the IP address of the remote end of the tunnel, which allows multiple devices to use the same tunnel.
  6. Click Finished.
Your CGNAT tunnel is ready to use as an egress interface in an LSN Pool.
Table of Contents | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information