Applies To:

Show Versions Show Versions

Manual Chapter: Managing NAT Policies and Translations
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Managing NAT Policies and Translations

About NAT policies and translations

You can use network translation address (NAT) policies to translate network addresses. These NAT policies contain rules that contain NAT source translations and NAT destination translations.

You associate a NAT policy with a firewall context by adding it to the NAT Policy property of the firewall context.

You can discover a NAT policy on a BIG-IP® device version 12.1 or later, or create one on a BIG-IQ® Centralized Management system, and then deploy it to a BIG-IP device version 12.1 or later.

Note: When you view differences that include NAT policy changes to the global context, those changes appear under the global-device-context object rather than the global object.

Create a NAT policy

You create a NAT policy to contain rules that contain NAT source translations and NAT destination translations.
  1. Go to the NAT Policies screen: Click Configuration > SECURITY > Network Security > Network Address Translation > NAT Policies.
  2. Click Create.
    The New NAT Policy screen opens with the Properties displayed.
  3. Type a name for the NAT policy in the Name field.
  4. Type an optional description for the NAT policy in the Description field.
  5. If needed, change the default Common partition in the Partition field.
  6. On the left, click Rules and then click Create Rule.
    A new row appears in the table of rules. The row contains a rule template, including defaults, for the new rule.
  7. Click the edit icon to the left of the rule name to edit the default rule properties.
  8. Complete the rule fields as appropriate.
    You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing one of the options available.
  9. Save your changes.
The NAT policy is now defined and can be assigned to a firewall context.

NAT rule properties

This table lists and describes the properties required when configuring NAT policy rules. These rules are similar to rules used in firewall policies, but have a different set of properties.

Property Description
Name Unique, user-provided name for the rule, and optionally a description.
Address (Source) or Address (Destination) Source or destination address or addresses. Select the type of address from the list:
  • Address. Type a single address in the Address field and then click Add to the right of the address field to add it.
  • Address List. In the Address field, select the address list. Alternatively, in the Shared Objects area at the bottom, you can select Address Lists to list those available, and then drag it to the Address column.
  • Address Range. Type the beginning address in the first Address Range field, and the ending address in the second Address Range field, and then click Add.
Port (Source) or Port (Destination) Source or destination port or ports. Select the type of port from the list:
  • Port. Type the port in the Port field, and then click Add
  • Port List. Select the name of the port list Alternatively, in the Shared Objects area at the bottom, you can select Port Lists to list those available and then drag it to the Port column.
  • Port Range. Type the beginning port in the first Port field and the ending port in the second Port field, and then click Add.
Proxy ARP (Destination) Select enabled to accept proxy ARP requests for destination translation addresses. Select disabled to not accept proxy ARP requests for destination translation addresses.
Route Advertisement (Destination) Select enabled to enable advertising traffic to dynamic routing protocols configured in the route domain. Select disabled to disable route advertisement.
Protocol IP protocol to compare against the packet. Select the appropriate protocol from the list. Select Other to specify an unlisted protocol.
NAT Source Translation Type the name of a NAT Source Translation. Alternatively, in the Shared Objects area at the bottom, you can select NAT Source Translations to list those available, and then drag it to the NAT Source Translation column.
NAT Destination Translation Type the name of a NAT Destination Translations in the field. Alternatively, in the Shared Objects area at the bottom, you can select NAT Destination Translations to list those available and then drag and drop it into the NAT Destination Translation column.
Log Profile Enter the name of a logging profile in the field. This logging profile must already be defined using Logging Profiles in Shared Security and should be pinned to the BIG-IP device using the Shared Security pinning policy.
State Specify whether the rule is enabled or disabled. The field is updated.

Create NAT source translations

You create NAT source translations to use within a network address translation policy rule.
  1. Click Configuration > SECURITY > Network Security > Network Address Translation > NAT Source Translations.
  2. Click Create.
    The New NAT Source Translations screen opens.
  3. Type a name for the NAT source translations in the Name field.
  4. In the Description field, type an optional description for the NAT source translations.
  5. If needed, change the default Common in the Partition field.
  6. From the Type list, specify the type of address translation to use.
    The type of address translation you select determines what additional properties are available.
    • Select Static NAT for static network address translation.
    • Select Static PAT for static network port and address translation.
    • Select Dynamic PAT for dynamic network port and address translation.
  7. If you selected Static NAT for the Type, supply values for the following settings.
    Property Description
    Addresses Add one or more addresses or address ranges by typing them and then clicking the + button. Remove them by clicking the X next to the address or address range.
    ICMP Echo Select enabled to make ICMP echoes available. Select disabled to make ICMP echoes unavailable.
    Proxy ARP Select enabled to accept proxy ARP requests for source translation addresses. Select disabled to not accept proxy ARP requests for source translation addresses.
    Route Advertisement Select enabled to enable route advertisement. Select disabled to disable route advertisement.
    Egress Interfaces area Specify whether the source address is translated for egressing network traffic, and on what interfaces, such as the /Common/http-tunnel interface.
    • Select Disabled on to disable source address translation for the specified interfaces, and then select the check box for the interfaces to be disabled.
    • Select Enabled on to enable source address translation for the specified interfaces and then select the check box for the interfaces to be enabled.
  8. If you selected Static PAT for the Type, fill in the following settings.
    Property Description
    Addresses Add one or more addresses or address ranges by typing them and then clicking the + button. Remove them by clicking the X button next to the address or address range.
    Ports Add one or more ports or port ranges by typing them and then clicking the + button. Remove them by clicking the X button next to the port or port range.
    ICMP Echo Select enabled to make ICMP echoes available. Select disabled to make ICMP echoes unavailable.
    Proxy ARP Select enabled to accept proxy ARP requests for source translation addresses. Select disabled to not accept proxy ARP requests for source translation addresses.
    Route Advertisement Select enabled to enable route advertisement. Select disabled to disable route advertisement.
    Egress Interfaces area Specify whether egress interfaces are available.
    • Select Disabled on to disable egress filtering interfaces.
    • Select Enabled on to disable egress filtering interfaces.
  9. If you selected Dynamic PAT for the Type, supply values for the following settings.
    Property Description
    Addresses Add one or more addresses or address ranges by typing them and then clicking the + button. Remove them by clicking the X button next to the address or address range.
    Ports Add one or more ports or port ranges by typing them and then clicking the + button. Remove them by clicking the X button next to the port or port range.
    ICMP Echo Select enabled to make ICMP echoes available. Select disabled to make ICMP echoes unavailable.
    Proxy ARP Select enabled to accept proxy ARP requests for source translation addresses. Select disabled to not accept proxy ARP requests for source translation addresses.
    Route Advertisement Select enabled to enable route advertisement. Select disabled to disable route advertisement.
    PAT Mode Specify the port address translation mode. The mode you select determines what additional properties are available.
    • Select NAPT (default)
    • Select Deterministic
    • Select Port Block Allocation
    Inbound Mode Specify the inbound mode.
    • Select None to disable inbound mode.
    • Select Endpoint Independent Filtering to use endpoint independent filtering.
    Mapping Specify the mapping to use. For all mappings, the default timeout value is 300 seconds, and can be modified. The range is 0 to 31536000 seconds.
    • Select None to disable inbound mode.
    • Select Endpoint Independent Mapping to use endpoint independent filtering.
    • Select Address Pooling Paired to use paired address pooling.
    Client Connection Limit Enter a number as the maximum number of client connections allowed. The default is 0, which indicates no connection limit.
    Port Block Allocation Specify numeric values for one or more of the following fields; the default is to not have a value set:
    • Block Idle Timeout. The range is 30 31536000 seconds.
    • Block Life Time. The range is 0 to 31536000 seconds.
    • Block Size. Must be 1 or greater, and less than or equal to the number of ports in the port range.
    • Client Block Limit. Must be 1 or greater.
    • Zombie Timeout. Must be 0 to 31536000 seconds.
    This property is available when the port block allocation PAT mode is set.
    Hairpin mode Enables or disables hairpinning for incoming connections to active translation end-points (address/port combinations). Specify the hairpin mode.
    • Select enabled to enable hairpin mode.
    • Select disabled to not enable hairpin mode.
    This property is available for all PAT modes.
    Backup Addresses Add one or more backup IP addresses by typing them and then clicking the + button. Remove them by clicking the X button next to the address This property is available when the deterministic PAT mode is set.
    Egress Interfaces area Specify whether egress interfaces are available.
    • Select Disabled on to disable egress filtering interfaces.
    • Select Enabled on to disable egress filtering interfaces.
    PCP Specify the PCP profile to use.
    • In the Profile setting, select the PCP profile to use.
    • Specify either a self IP or a DS-Lite tunnel where PCP requests can be sent.
      • Select Self IP, and then select a self IP address.
      • Select DSlite, and then select a DS-Lite tunnel.
    Note: DS-Lite tunnels cannot be created by BIG-IQ® Centralized Management. You must create them on the BIG-IP® device and then import them to BIG-IQ Centralized Management.
  10. Save your work.
The NAT source translations are now defined, and you can assign them to a rule used by a NAT policy.

Creating NAT destination translations

You create NAT destination translations to use within a NAT policy rule.
  1. Click Configuration > SECURITY > Network Security > Network Address Translation > NAT Destination Translations.
  2. Click Create.
    The NAT Destination Translations - New Item screen opens.
  3. Type a name for the NAT destination translations in the Name field.
  4. In the Description field, type an optional description for the NAT destination translations.
  5. If needed, in the Partition field change the default Common partition.
  6. From the Type list, select the type of address translation to use. The type of address translation you select determines what additional properties are available.
    • Select Static NAT for static network address translation.
    • Select Static PAT for static network port and address translation.
  7. If you selected Static NAT or Static PAT for the Type setting, supply values for the Addresses setting.
    • Add one or more addresses or address ranges by typing them in, and then clicking the + button.
    • Remove the address or address range by clicking the X button next to it.
  8. If you selected Static PAT from the Type list, supply values for the Ports setting.
    • Add one or more ports or port ranges by typing them in and then clicking the + button.
    • Remove the port or port range by clicking the X button next to it.
  9. Click Save to save the NAT destination translations, or click Save & Close to save the NAT destination translations and return to the NAT Destination Translations screen.
The NAT destination translations are now defined and can be assigned to a rule used by a NAT policy.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.

Additional Comments (optional)