Manual Chapter : Managing NAT Policies and Translations

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.2.0
Manual Chapter

About NAT policies and translations

You can use network translation address (NAT) policies to translate network addresses. These NAT policies contain rules that contain NAT source translations and NAT destination translations.

You associate a NAT policy with a firewall context by adding it to the NAT Policy property of the firewall context.

You can discover a NAT policy on a BIG-IP® device version 12.1 or later, or create one on a BIG-IQ® Centralized Management system, and then deploy it to a BIG-IP device version 12.1 or later.

Create a NAT policy

You create a NAT policy to contain rules that contain NAT source translations and NAT destination translations.
  1. Go to the NAT Policies screen: Click Configuration > SECURITY > Network Security > Network Address Translation > NAT Policies .
  2. Click Create.
    The New NAT Policy screen opens with the Properties displayed.
  3. Type a name for the NAT policy in the Name field.
  4. Type an optional description for the NAT policy in the Description field.
  5. If needed, change the default Common partition in the Partition field.
  6. On the left, click Rules and then click Create Rule.
    A new row appears in the table of rules. The row contains a rule template, including defaults, for the new rule.
  7. Click the edit icon to the left of the rule name to edit the default rule properties.
  8. Complete the rule fields as appropriate.
    You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing one of the options available.
  9. Save your changes.
The NAT policy is now defined and can be assigned to a firewall context.

NAT rule properties

This table lists and describes the properties required when configuring NAT policy rules. These rules are similar to rules used in firewall policies, but have a different set of properties.

Property Description
Name Unique, user-provided name for the rule.
Address (Source) Source address or addresses. Select the type of source address from the list:
  • Address. Type a single address in the Address field and then click + to the right of the address field to add it.
  • Address List. In the Address field, type the name of the address list. Alternatively, from the Shared Resources list at the bottom, you can select Address Lists to list those available, and then drag and drop it into the Address field.
  • Address Range. Type the beginning address in the first Address Range field and the ending address in the second Address Range field. Then click + to the right of the address field to add it.
When you are finished, click Save or Save & Close.
Port (Source) Source port or ports. Select the type of port from the list:
  • Port. Type the port in the Port field.
  • Port Range. Type the beginning port in the first Port field and the ending port in the second Port field. Then click + to the right of the address field to add it.
  • Port List. In the Port field, type the name of the port list. Alternatively, from the Shared Resources list at the bottom, you can select Port Lists to list those available and then drag and drop it into the Port field.
When you are finished, click Save or Save & Close.
VLAN (Source) Name of the VLAN physically present on the device (Internal, External, or Any). If you specify a VLAN in a rule without also specifying the VLAN's partition, the deployment task will fail when you attempt to deploy that rule to a firewall. Use the format partition/VLAN or /partition/VLAN. For example: Common/external or /Common/external. When you are finished, click Save or Save & Close.
Address (Destination) Select the type of destination address from the list:
  • Address. Type a single address in the Address field and then click + to the right of the address field to add it.
  • Address List. In the Address field, type the name of the address list. Alternatively, from the Shared Resources list at the bottom, you can select Address Lists to list those available and then drag and drop it into the Address field.
  • Address Range. Type the beginning address in the first Address Range field and the ending address in the second Address Range field.
When you are finished, click Save or Save & Close.
Port (Destination) Destination port or ports. Select the type of port from the list:
  • Port. Type the port in the Port field.
  • Port Range. Type the beginning port in the first Port field and the ending port in the second Port field.
  • Port List. In the Port field, type the name of the port list. Alternatively, from the Shared Resources list at the bottom, you can select Port Lists to list those available and then drag and drop it into the Port field.
When you are finished, click Save or Save & Close.
Description Optional description for the current rule. To add a description, click in the column, type text, and click Save or Add.
Protocol IP protocol to compare against the packet. Select the appropriate protocol from the list and click Save or Save & Close. The default type is Any and the default code is Any.
Note: The type and code combinations are too numerous to document here. For details, consult the F5 Networks DevCentral site, http://devcentral.f5.com, or the documentation for the specific BIG-IP® platform.
State Select whether the rule is enabled or disabled. The field is updated. Click Save or Save & Close to save your changes.
Translated Source Type the name of a NAT Source Translation in the field. Alternatively, from the Shared Resources list at the bottom, you can select NAT Source Translations to list those available and then drag and drop it into the Translated Source field.
Translated Destination Enter the name of a NAT Destination Translations in the field. Alternatively, from the Shared Resources list at the bottom, you can select NAT Destination Translations to list those available and then drag and drop it into the Translated Destination field.
Log Profile Type the name of a logging profile in the field. This logging profile must already be defined using Logging Profiles in Shared Security, and should be pinned to the BIG-IP device using the Logging Profile Available Devices option.

Cloning a NAT policy

Cloning enables you to create a copy of the NAT policy, which you can then edit to address any special considerations.
  1. Log in to the BIG-IQ ®system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then from the list on the left click NAT Policies.
  4. Select the NAT policy to clone by selecting the check box for it, and then clicking Clone.
    A copy of that NAT policy is created with the same name, but with -CLONE appended to the name.
  5. Change the NAT policy as needed.
  6. Click Save to save the NAT policy, or click Save & Close to save the NAT policy and return to the NAT Policies page.
The NAT policy is now defined and can be assigned to a firewall context.

Deleting a NAT policy

You delete NAT policies that are no longer used.
  1. Log in to the BIG-IQ ® system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then from the list on the left, click NAT Policies.
  4. Select the one or more NAT policies to be removed by selecting the check box for the appropriate NAT policy.
  5. Click Delete.
  6. Confirm that you want to remove the NAT policy by clicking Delete in the confirmation dialog box.
The selected NAT policies are removed.

Creating NAT source translations

Create NAT source translations to use within a NAT policy rule.
  1. Log in to the BIG-IQ ® system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then from the list on the left, click NAT Source Translations.
  4. Click Create.
    The NAT Source Translations - New Item screen opens.
  5. Type a name for the NAT source translations in the Name field.
  6. In the Description field, type an optional description for the NAT source translations.
  7. If needed, change the default Common partition in the Partition field.
  8. From the Type list, select the type of address translation to use. The type of address translation you select determines what additional properties are available.
    • Select Static NAT for static network address translation.
    • Select Static PAT for static network port and address translation.
    • Select Dynamic PAT for dynamic network port and address translation.
  9. If you selected Static NAT for the value of the Type list, supply values for the following settings.
    Property Description
    Addresses Add one or more addresses or address ranges by entering them and then clicking the + button. Remove them by clicking the X button next to the address or address range.
    ICMP Echo Select whether ICMP echoes are available.
    • Select enabled to enable ICMP echoes.
    • Select disabled to disable ICMP echoes.
    Egress Interfaces Select whether the source address is translated for egressing network traffic, and on what interfaces, such as the /Common/http-tunnel interface.
    • Select Disabled on to disable source address translation for the specified interfaces, and then select the check box for the interfaces to be disabled.
    • Select Enabled on to enable source address translation for the specified interfaces and then select the check box for the interfaces to be enabled.
  10. If you selected Static PAT for the value of the Type list, fill in the following settings.
    Property Description
    Addresses Add one or more addresses or address ranges by typing them and then clicking the + button. Remove them by clicking the X button next to the address or address range.
    Ports Add one or more ports or port ranges by typing them and then clicking the + button. Remove them by clicking the X button next to the port or port range.
    ICMP Echo Select whether ICMP echoes are available.
    • Select enabled to enable ICMP echoes.
    • Select disabled to disable ICMP echoes.
    Egress Interfaces Select whether egress interfaces are available.
    • Select Disabled on to disable egress filtering interfaces.
    • Select Enabled on to disable egress filtering interfaces.
  11. If you selected Dynamic PAT for the value of the Type list, supply values for the following settings.
    Property Description
    Addresses Add one or more addresses or address ranges by typing them and then clicking the + button. Remove them by clicking the X button next to the address or address range.
    Ports Add one or more ports or port ranges by typing them and then clicking the + button. Remove them by clicking the X button next to the port or port range.
    ICMP Echo Select whether ICMP echoes are available.
    • Select enabled to enable ICMP echoes.
    • Select disabled to disable ICMP echoes.
    PAT Mode Select the port address translation mode. The mode you select determines what additional properties are available.
    • Select NAPT (default)
    • Select Deterministic
    • Select Port Block Allocation
    Inbound Mode Select the inbound mode.
    • Select None to disable inbound mode.
    • Select Endpoint Independent Filtering to use endpoint independent filtering.
    This property is available for all PAT modes.
    Mapping Select the mapping to use. For all mappings, the default timeout value is 300 seconds, and can be modified. The range is 0 to 31536000 seconds.
    • Select None to disable inbound mode.
    • Select Endpoint Independent Mapping to use endpoint independent filtering.
    • Select Address Pooling Paired to use paired address pooling.
    This property is available for all PAT modes.
    Client Connection Limit Enter a number as the maximum number of client connections allowed. The default is 0, which indicates no connection limit. This property is available for all PAT modes.
    Hairpin mode Select the hairpin mode.
    • Select enabled to enable hairpin mode.
    • Select disabled to not enable hairpin mode.
    This property is available for all PAT modes.
    Backup Addresses Add one or more backup IP addresses by typing them and then clicking the + button. Remove them by clicking the X button next to the address This property is available when the deterministic PAT mode is set.
    Port Block Allocation Select numeric values for one or more of the following fields; the default is to not have a value set:
    • Block Idle Timeout. The range is 30 31536000 seconds.
    • Block Life Time. The range is 0 to 31536000 seconds.
    • Block Size. Must be 1 or greater, and less than or equal to the number of ports in the port range.
    • Client Block Limit. Must be 1 or greater.
    • Zombie Timeout. Must be 0 to 31536000 seconds.
    This property is available when the port block allocation PAT mode is set.
    Egress Interfaces Select whether egress interfaces are available.
    • Select Disabled on to disable egress filtering interfaces.
    • Select Enabled on to disable egress filtering interfaces.
  12. Click Save to save the NAT source translations, or click Save & Close to save the NAT source translations and return to the NAT Source Translations page.
The NAT source translations are now defined and can be assigned to a rule used by a NAT policy.

Cloning NAT source translations

Cloning enables you to create an exact copy of the NAT source translations, which you can then edit.
  1. Log in to the BIG-IQ ® system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then from the list on the left, click NAT Source Translations.
  4. Select the NAT source translations to clone by selecting the check box, and then clicking Clone.
    A copy of the NAT source translations is created with the same name, but with -CLONE appended to the name.
  5. Change the NAT source translations as needed.
  6. Click Save to save the NAT source translations, or click Save & Close to save the NAT source translations and return to the NAT Source Translations page.
The cloned NAT source translations can now be assigned to a rule in a NAT policy.

Deleting NAT source translations

You delete NAT source translations that are no longer used.
  1. Log in to the BIG-IQ ® system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then from the list on the left, click NAT Source Translations.
  4. Select check box for one or more NAT source translations to remove.
  5. Click Delete.
  6. Confirm that you want to remove the NAT source translations by clicking Delete in the confirmation dialog box.
The selected NAT source translations are removed.

Creating NAT destination translations

You create NAT source translations to use within a NAT policy rule.
  1. Log in to the BIG-IQ ® system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then from the list on the left, click NAT Destination Translations.
  4. Click Create.
    The NAT Destination Translations - New Item screen opens.
  5. Type a name for the NAT destination translations in the Name field.
  6. In the Description field, type an optional description for the NAT destination translations.
  7. If needed, in the Partition field change the default Common partition.
  8. From the Type list, select the type of address translation to use. The type of address translation you select determines what additional properties are available.
    • Select Static NAT for static network address translation.
    • Select Static PAT for static network port and address translation.
  9. If you selected Static NAT or Static PAT for the Type setting, supply values for the Addresses setting.
    • Add one or more addresses or address ranges by typing them in, and then clicking the + button.
    • Remove the address or address range by clicking the X button next to it.
  10. If you selected Static PAT from the Type list, supply values for the Ports setting.
    • Add one or more ports or port ranges by typing them in and then clicking the + button.
    • Remove the port or port range by clicking the X button next to it.
  11. Click Save to save the NAT destination translations, or click Save & Close to save the NAT destination translations and return to the NAT Destination Translations page.
The NAT destination translations are now defined and can be assigned to a rule used by a NAT policy.

Cloning NAT destination translations

With cloning, you create an exact copy of the NAT source translations, which you can then edit.
  1. Log in to the BIG-IQ ® system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then from the list on the left, click NAT Destination Translations.
  4. Select the check box for the NAT destination translations to clone and then click Clone.
    The system creates a copy of the NAT destination translations with the same name, but with -CLONE appended to the name.
  5. Change the NAT source translations as needed.
  6. Click Save to save the NAT destination translations, or click Save & Close to save the NAT destination translations and return to the NAT Destination Translations page.
The cloned NAT destination translations can now be assigned to a rule in a NAT policy.

Deleting NAT destination translations

You delete NAT destination translations that are no longer used.
  1. Log in to the BIG-IQ ® system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then from the list on the left, click NAT Destination Translations.
  4. Select one or more NAT destination translations to remove by selecting the check box for the appropriate NAT destination translations.
  5. Click Delete.
  6. Confirm that you want to remove the NAT destination translations by clicking Delete in the confirmation dialog box.
The system removes the selected NAT destination translations.