Manual Chapter :
Using ALG Profiles
Applies To:
Show VersionsBIG-IP LTM
- 14.1.0, 14.0.0
Using ALG Profiles
Overview: Using the FTP ALG Profile to Transfer Files
The File Transfer Protocol (FTP) application layer gateway (ALG) profile enables you to
transfer files between a client and server. The FTP ALG profile supports both active and
passive modes, where data connections are initiated either from an FTP server (active mode) or
from a client (passive mode). You can transfer files using the FTP protocol by configuring an
LSN pool, configuring an FTP profile, and then assigning the LSN pool and FTP profile to a
virtual server. The FTP protocol is described in RFC 959.
Task summary
About the FTP profile
The
File Transfer Protocol
(FTP
) profile enables you to transfer
files between a client and server, using FTP connections over TCP. The FTP application layer
gateway (ALG) supports the FTP protocol's active and passive modes, where data connections are
initiated either from an FTP server (active mode) or from a client (passive mode). You can configure the FTP profile settings, as needed, to ensure compatibility between IPv4 and
IPv6 clients and servers, to enable the FTP data channel to inherit the TCP profile used by the
FTP control channel, and to use a port other than the default port (
20
).
Additionally, when used with Application Security Manager™ (ASM™), this profile enables the BIG-IP system to inspect FTP traffic
for security vulnerabilities by using an FTP security profile.FTP Control Channels
Once established, the FTP control channel remains open throughout the FTP session. The FTP
control channel and the FTP data channel must both originate from the same IP address.
FTP Data Channels
In
active mode
, the FTP server initiates data connections. A client informs the
server as to what port the client is listening on, and the server connects to the client by
using that port.In this example, an LSN pool is configured with a translation IP address and prefix length of
10.33.1.0/24
. The virtual server is configured with an FTP control port
using a wildcard address and a specific port: 0.0.0.0:21
. The FTP data
port is configured to use port 20
. The configured translation mode uses
the values of the respective port range.Translation mode | Port range |
---|---|
NAPT | 2000-3000 |
DNAT | 2000-2200 |
PBA | 2000-2150 |
In
passive mode
, the FTP client initiates data connections. The FTP server
informs the client as to what port the server is listening on, and the client connects to the
server by using that port.In this example, an LSN pool is configured with a translation IP address and prefix length of
10.33.1.0/24
. The virtual server is configured with an FTP control port
using a wildcard address and a specific port: 0.0.0.0:21
. The FTP data
port is configured to use port 20
. In this example, the configured
translation mode uses the values of the respective port range.Translation mode | Port range |
---|---|
NAPT | 2000-3000 |
DNAT | 2000-2200 |
PBA | 2000-2150 |
Creating an LSN pool
The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
- On the Main tab, click.The LSN Pool List screen opens.
- ClickCreate.
- In theNamefield, type a unique name.
- In the Configuration area, for thePersistence Modesetting, selectAddressorAddress Port.
- For theMember Listsetting, type an address and a prefix length in theAddress/Prefix Lengthfield, and clickAdd.If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix10.10.10.0/24overlaps10.10.10.0/23.
- ClickFinished.
Creating an FTP profile
You can configure a file transfer protocol (FTP) profile on the BIG-IP system that transfers files, either in an active or passive mode, and
logs related messages.
- On the Main tab, click.The FTP screen opens and displays a list of available FTP ALG profiles.
- ClickCreate.
- Type a name for the profile.
- From theParent Profilelist, select a parent profile.
- Select theCustomcheck box.
- Select theTranslate Extendedcheck box to ensure compatibility between IPv4 and IPv6 clients and servers when using the FTP protocol.The default is selected.
- Select theInherit Parent Profilecheck box to enable the FTP data channel to inherit the TCP profile used by the control channel. The check box is clear by default.If this setting is disabled, the data channel uses FastL4 (BigProto) only.
- In theData Portfield, type a number for an alternate port.The default value for the FTP data port is20.
- ClickFinished.
An FTP profile is configured on the BIG-IP system that transfers files, either in an active or passive mode, and
logs related messages.
Configuring a CGNAT
iRule
You create iRules to automate traffic forwarding
for XML content-based routing. When a match occurs, an iRule event is triggered, and the
iRule directs the individual request to an LSN pool, a node, or virtual
server.
- On the Main tab, click.The iRule List screen opens.
- ClickCreate.
- In theNamefield, type a 1 to 31 character name, such ascgn_https_redirect_iRule.
- In theDefinitionfield, type the syntax for the iRule using Tool Command Language (Tcl) syntax.For complete and detailed information about iRules syntax, see the F5 Networks DevCentral web site (http://devcentral.f5.com).
- ClickFinished.
You now have an iRule to use with a CGNAT virtual server.
Creating a virtual server using an FTP ALG profile
Virtual servers are matched based on source (client) addresses. Define a virtual
server in order to reference an FTP profile and LSN pool.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- From theTypelist, retain the default settingStandard.
- For theDestination Address/Masksetting, confirm that theHostbutton is selected, and type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- In theService Portfield, type21or selectFTPfrom the list.
- From theProtocollist, selectTCP.
- From theProtocol Profile (Client)list, select a predefined or user-defined TCP profile.
- From theProtocol Profile (Server)list, select a predefined or user-defined TCP profile.
- From theFTP Profilelist, select an FTP ALG profile for the virtual server to use.
- For theLSN Poolsetting, select the pool that this server will draw on for addresses.
- Locate the Resources area of the screen; for theRelated iRulessetting, from theAvailablelist, select the name of the iRule that you want to assign and move the name to theEnabledlist.This setting applies to virtual servers that reference a profile for a data channel protocol, such as FTP or RTSP.
- ClickFinished.
The custom CGNAT virtual server appears in the CGNAT Virtual Servers list.
Creating an FTP ALG logging profile
You can create an application layer gateway (ALG) logging profile, and associate it
with one or more FTP ALG profiles, to allow you to configure logging options for various
events that apply to high-speed logging (HSL) destinations. A logging profile decreases
the need to maintain a number of customized profiles where the events are very
similar.
- On the Main tab, click.The ALG logging profiles screen opens.
- On the Main tab, click.The ALG Logging screen opens.
- ClickCreate.The New ALG Logging Profile screen opens.
- In theNamefield, type a unique name for the logging profile.
- From theParent Profilelist, select a profile from which the new profile inherits properties.
- For the Log Settings area, select theCustomcheck box.
- For the Log Settings area, selectEnabledfor the following settings, as necessary.SettingDescriptionCSV FormatGenerates log entries in comma-separated-values (csv) format.Start Control ChannelGenerates event log entries at the start of a control channel connection for an ALG client.End Control ChannelGenerates event log entries at the end of a control channel connection for an ALG client.Start Data ChannelGenerates event log entries at the start of a data channel connection for an ALG client.End Data ChannelGenerates event log entries at the end of a data channel connection for an ALG client.Inbound TransactionGenerates event log entries of ALG messages triggered by an inbound connection to the BIG-IP system.Enabling theCSVcheck box affects splunk logs because IP addresses are shown asip,port,rtdominstead ofip%rtdom:port. Do not mix log types and only use standard syslog formats.
- ClickFinished.
Configuring an FTP
ALG profile
You can associate an FTP ALG profile with a log
publisher and logging profile that the BIG-IP system uses to send log messages to a
specified destination.
- On the Main tab, click.The FTP screen opens and displays a list of available FTP ALG profiles.
- Click the name of an FTP profile.
- In the Log Settings area, from theLog Publisherlist, select the log publisher the BIG-IP system uses to send log messages to a specified destination.If you configure a log publisher, you must also configure a Logging Profile.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb variable tofalse.
- From theLogging Profilelist, select the logging profile the BIG-IP system uses to configure logging options for various ALG events.If you configure a Logging Profile, you must also configure a Log Publisher.
- ClickFinished.
Overview: Using the TFTP ALG profile to transfer files
The Trivial File Transfer Protocol (TFTP) profile enables you to configure the BIG-IP system to read and write files from or to a remote server. The TFTP application
layer gateway (ALG) profile is associated with a UDP port
69
virtual
server so that a listener is established for incoming TFTP traffic. This allows the protocol to
operate across the BIG-IP system. You can transfer files using the TFTP protocol by configuring a
TFTP profile, configuring an LSN pool, and then assigning the TFTP profile and LSN pool to a
virtual server. The TFTP protocol is described in RFC 1350
.About the TFTP ALG profile
The
Trivial File Transfer Protocol application layer gateway (TFTP ALG)
provides
connection management for TFTP. The TFTP profile is configured on a UDP port
69
virtual server. The profile opens a server-side listener so that
responses from the server can be returned to the client across the BIG-IP
system. ALG logging can be configured on the profile. Creating a TFTP ALG profile
You can configure a Trivial File Transfer Protocol (TFTP) on the BIG-IP system to read and write files from or to a remote server.
- On the Main tab, click.The TFTP screen opens and displays a list of available TFTP ALG profiles.
- On the Main tab, click.The TFTP screen opens and displays a list of available TFTP ALG profiles.
- ClickCreate.The New TFTP Profile screen opens.
- In theNamefield, type a unique name for the TFTP profile.
- From theParent Profilelist, select a profile from which the new profile inherits properties.
- For the Settings area, select theCustomcheck box.
- In the Settings area, for theIdle Timeoutlist, type a number to specify the number of seconds after a connection is eligible for deletion; when the connection has no traffic. The default value is 30 seconds.
- For the Log Settings area, select theCustomcheck box.
- In the Log Settings area, from theLog Publisherlist, select the log publisher the BIG-IP system uses to send log messages to a specified destination.If you configure a log publisher, you must also configure a Logging Profile.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb variable tofalse.
- From theLogging Profilelist, select the logging profile the BIG-IP system uses to configure logging options for various ALG events.If you configure a Logging Profile, you must also configure a Log Publisher.
- ClickFinished.
Creating an LSN pool
The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
- On the Main tab, click.The LSN Pool List screen opens.
- ClickCreate.
- In theNamefield, type a unique name.
- In the Configuration area, for thePersistence Modesetting, selectAddressorAddress Port.
- For theMember Listsetting, type an address and a prefix length in theAddress/Prefix Lengthfield, and clickAdd.If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix10.10.10.0/24overlaps10.10.10.0/23.
- ClickFinished.
Creating a virtual server using a TFTP ALG profile
Virtual servers are matched based on source (client) addresses. Create and define a
virtual server that references an TFTP profile and LSN pool.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- From theTypelist, retain the default settingStandard.
- In theDestination Address/Maskfield, type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.
- In theService Portfield, type69or selectTFTPfrom the list.
- From theConfigurationlist, selectAdvanced.
- From theProtocollist, selectUDP.
- From theTFTP Profilelist, select an TFTP ALG profile for the virtual server to use.
- For theLSN Poolsetting, select the pool that this server will draw on for addresses.
- ClickFinished.
Creating a TFTP ALG logging profile
You can create an application layer gateway (ALG) logging profile, and associate it
with one or more Trivial File Transfer Protocol (TFTP) ALG profiles, to allow you to
configure logging options for various events. A logging profile decreases the need to
maintain a number of customized profiles where the events are very similar.
- On the Main tab, click.The ALG logging profiles screen opens.
- ClickCreate.The New ALG Logging Profile screen opens.
- In theNamefield, type a unique name for the TFTP profile.
- From theParent Profilelist, select a profile from which the new profile inherits properties.
- For the Log Settings area, select theCustomcheck box.
- For the Log Settings area, selectEnabledfor the following settings, as necessary.SettingDescriptionCSV FormatGenerates log entries in comma-separated-values (csv) format.Start Control ChannelGenerates event log entries at the start of a control channel connection for an ALG client.End Control ChannelGenerates event log entries at the end of a control channel connection for an ALG client.Start Data ChannelGenerates event log entries at the start of a data channel connection for an ALG client.End Data ChannelGenerates event log entries at the end of a data channel connection for an ALG client.Inbound TransactionGenerates event log entries of ALG messages triggered by an inbound connection to the BIG-IP system.Enabling theCSVcheck box affects splunk logs because IP addresses are shown asip,port,rtdominstead ofip%rtdom:port. Do not mix log types and only use standard syslog formats.
- ClickFinished.
Overview: Using the SIP MRF ALG
Profile
A carrier-grade network address translation (CGNAT) Session Initiation Protocol (SIP)
application layer gateway (ALG) configuration, using message routing framework (MRF)
functionality, enables SIP communication and associated media flow to cross an address
translation boundary.
The SIP ALG profile provides the ability for subscribers to make and accept calls, and to
store private contact information with a corresponding translated address and port. The
lifetime and idle timeout for this entry differs from the flow that created it, enabling the
entry to live after the flow expires. The SIP ALG uses the translated IP address and port to
uniquely identify a subscriber, and to accept that subscriber's incoming calls. To enable this
functionality, the LSN pool must pick an endpoint that is not reserved for the SIP ALG
connections, and update the endpoint reservation time.
For calls between subscribers, a BIG-IP device can hairpin media;
however, it must not hairpin SIP signaling. Instead, the BIG-IP device must always deliver SIP
signaling to an external proxy.
Additionally, for communication between subscribers, a BIG-IP device supports NAT44, NAT64,
464XLAT, and DS-Lite translation.
Finally, the SIP ALG profile supports media flow between a caller and callee.
SIP MRF ALG call scenarios include the following:
- Internal to internal calls, with SIP signaling through the proxy
- External to internal calls
- Internal to external calls
- Internal to external calls through NAT64
- Calls through DS-Lite tunnels on the internal network, including the following:
- DS-Lite subscribers on different tunnels with the same name and IP address
- DS-Lite subscribers on different tunnels with the same name and different IP addresses
- DS-Lite subscribers on different tunnels with different names and the same IP address
A SIP MRF virtual server must include both a SIP session profile and a SIP router profile.
The SIP session profile provides a protocol-specific configuration, and the SIP router profile
specifies the static-route configurations.
The SIP Session profile and SIP Router
profile are only available for use with a Message Routing virtual server.
Task summary
About the SIP session profile
A
SIP session profile
, assigned to a message routing virtual server, processes
ingress and egress messages in accordance with the profile configuration. Multiple SIP session
profiles can be assigned to a virtual server, as necessary, to manage SIP messages. Each SIP
session ALG profile includes settings for the message size, message header count, and message
header
size. About the SIP router profile
A
SIP router profile
, assigned to one or more message routing virtual servers,
specifies an operation mode, static routes, traffic group, and connection mirroring, as well as
session, media proxy, registration, and logging parameters. For virtual servers that use a SIP router profile in an application layer gateway (ALG)
operation mode, the SIP router profile binds the virtual servers
together; however,
routes are not configured. Instead, the local address of the originating flow is used as the
remote address of the outgoing connection.
Creating a SIP session profile
Create a SIP session profile to define how the BIG-IP system
processes SIP messages, including the data the system uses to persist SIP connections.
- On the Main tab, click.The SIP transport config list screen opens.
- On the menu bar, clickSession Profiles.The Session Profiles list screen opens.
- ClickCreate.The New SIP Session Profile screen opens.
- In theNamefield, type a unique name for the SIP session profile.
- From thePersist Keylist, select the value the system uses for persistence of a SIP session. The options are:OptionDescriptionCall-IDThe system uses the value in the Call-ID header field in the SIP message.CustomThe system uses the value of a custom key specified in an iRule.Src-AddrThe system uses the originating IP address in the SIP message.
- From thePersist Typelist, select one of these options:OptionDescriptionSessionPersistence is enabled.NonePersistence is disabled.
- In thePersist Timeout (seconds)field, type the number of seconds before a SIP session persistence record expires.
- ClickFinished.
Creating a SIP ALG router profile
You can create a SIP router profile with mirroring functionality for a SIP ALG
firewall configuration.
If you do not want to configure mirroring functionality,
you can configure a virtual server to use the default settings provided in the
preconfigured
siprouter-alg
profile.- On the Main tab, click.The SIP session profiles list screen opens.
- On the menu bar, clickRouter Profiles.The Router Profiles list screen opens.
- ClickCreate.The New Router Profiles screen opens.
- In theNamefield, type a unique name for the router profile.
- In the Settings area, select theCustomcheck box.
- From theOperation Modelist, selectApplication Level Gateway.
- To use connection mirroring, configure theTraffic Groupsetting.
- Clear theInherit traffic group from current partition / pathcheck box.
- From the list, select a traffic group, such as,traffic-group-1.
Changing traffic groups, with Connection Mirroring enabled, drops all mirrored connections and loses all persistence data. If you change traffic groups, mirroring must restart.The traffic group for the virtual address and mirrored attribute are overwritten by the attached router profile. - Select theConnection Mirroringcheck box.For connection mirroring to properly function, this device must be a member of a device group.
- In theMirrored Message Sweeper Intervalfield, type the milliseconds for the frequency of the mirrored message sweeper.
- ClickFinished.
A SIP router profile appears in the Router Profiles list.
Creating an LSN pool
The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you
can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation
prefixes and parameters. You can configure the following types of LSN pools:
- NAPT
- Deterministic
- PBA
SIP ALG LSN modes and networks
A carrier-grade NAT (CGNAT) Session Initiation Protocol (SIP) application layer gateway
(ALG) configuration supports certain large-scale NAT (LSN) modes and network
configurations.
NAT Mode | Supported Network Configurations |
---|---|
NAPT |
|
DNAT |
|
PBA |
|
Creating a NAPT LSN pool
- The CGNAT module must be provisioned before LSN pools can be configured.
- Before associating a LSN pool with a log publisher, ensure that at least one log publisher exists on the BIG-IP system.
Large Scale NAT
(LSN) pools are used by the CGNAT module to allow efficient
configuration of translation prefixes and parameters.- On the Main tab, click.The LSN Pool List screen opens.
- ClickCreate.
- In theNamefield, type a unique name.
- In theDescriptionfield, type a description.
- SelectNAPTfor the pool's translationMode.
- ClickFinished.
Your NAPT LSN pool is now ready and you can continue to configure your
CGNAT.
Creating a deterministic LSN pool
The CGNAT module must be provisioned before you can configure LSN pools.
Large Scale NAT
(LSN) pools are used by the CGNAT module to allow efficient
configuration of translation prefixes and parameters.- On the Main tab, click.The LSN Pool List screen opens.
- ClickCreate.
- In theNamefield, type a unique name.
- For theModesetting, selectDeterministicfor the pool's translation.Note that deterministic mode does not supportDS-litetunneling orNAT64.
- From theLog Publisherlist, select the publisher that includes the destinations to which you want to send log messages.
- In the Configuration area, for theMember Listsetting, type an address and a prefix length in theAddress/Prefix Lengthfield, and clickAdd.If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix10.10.10.0/24overlaps10.10.10.0/23.
- For deterministic mode, theBackup Member Listmust have at least one member, so type an address in theAddress/Prefix Lengthfield and clickAdd.
- ClickFinished.
Your deterministic LSN pool is now ready, and you can continue to configure your
CGNAT.
Creating a PBA LSN pool
- The CGNAT module must be provisioned before LSN pools can be configured.
- Before associating a LSN pool with a log publisher, ensure that at least one log publisher exists on the BIG-IP system.
You configure
Large Scale NAT
(LSN) pools for the CGNAT module to use
in allowing efficient configuration of translation prefixes and parameters.- On the Main tab, click.The LSN Pool List screen opens.
- ClickCreate.
- In theNamefield, type a unique name.
- In theDescriptionfield, type a description.
- For theModesetting, selectPBAfor the pool's translation.Note that PBA mode for DS-lite is same as for NAT44, except that all clients behind the DS-Lite tunnel are managed as one subscriber. Port block limits are in accordance with each DS-lite tunnel.
- For thePort Block Allocationsetting, specify your preferred PBA configuration.
- In theBlock Sizefield, type the number of ports designated for a block.
- In theBlock Lifetimefield, type the number of seconds before a port block times out.If you type a timeout other than0, you can also specify aZombie Timeout. ABlock Lifetimevalue that is less than thePersistence Timeoutvalue minimizes the number of zombie port blocks. The default value of0specifies no lifetime limit and indefinite use of the port block.
- In theBlock Idle Timeoutfield, enter the timeout (in seconds) for after the port block becomes idle.Typically, you want to use aBlock Idle Timeoutvalue less than thePersistence Timeoutvalue, to minimize the number of zombie port blocks.
- In theClient Block Limitfield, type the number of blocks that can be assigned to a single subscriber IP address.
- In theZombie Timeoutfield, type the number of seconds before port block times out.Azombie port blockis a timed out port block with one or more active connections. The default value of0specifies no timeout and an indefinite zombie state for the port block, as long as connections remain active. A value other than0specifies a timeout expiration, upon which existing connections are terminated, and the port block is released and returned to the pool.
- In the Configuration area, for theMember Listsetting, type an address and a prefix length in theAddress/Prefix Lengthfield, and clickAdd.
- ClickFinished.
Your PBA LSN pool is now ready, and you can continue to configure your
CGNAT.
Configuring a SIP
virtual server
Before you can create a SIP virtual server, you need to create a SIP ALG session
profile and a SIP ALG router profile.
You can create a SIP virtual server to provide
source address translation and manage messages as configured in the SIP session profile
and SIP router profile.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDescriptionfield, type a description for the virtual server.
- From theTypelist, selectMessage Routing.
- In theDestination Address/Maskfield, type an IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, to select all IP addresses, an IPv4 address/prefix is0.0.0.0/0, and an IPv6 address/prefix is::/0. To specify a network, an IPv4 address/prefix is10.07.0.0or10.07.0.0/24, and an IPv6 address/prefix isffe1::/64or2001:ed8:77b5::/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.For best results, F5 recommends that you enter the subnet that matches your destination server network.
- In theService Portfield, type5060.
- From theConfigurationlist, selectAdvanced.
- From theApplication Protocollist, selectSIP.
- From theSession Profilelist, select a SIP session ALG profile.
- From theRouter Profilelist, select a SIP router ALG profile.
- From theSource Address Translationlist, selectLSN.
- From theLSN Poollist, select an LSN pool.
- ClickFinished.
A SIP virtual server is configured to provide source address translation and manage
messages as configured in the SIP session profile and SIP router profile.
Viewing reserved endpoints
When an LSN pool or AFM Dynamic PAT
source translation is configured, you can view information for the reserved
endpoints using the TMSH (TMOS Shell) command-line interface.
You can run the
tmsh
command run util lsndb
from route domain 0
only. Running the command from a non-zero route domain produces an error message similar to the following:
Error: Connection to internal DB failed (err: Connection refused [111]).
- Access thetmshcommand-line utility.
- At the command prompt, typetmsh run util lsndb list endpoint_reservationsortmsh run util lsndb list all.A listing similar to the following example appears.# tmsh run util lsndb list endpoint-reservations LSN Endpoint Reservations Translation Subscriber ID Client DS-Lite tunnel Proto Age ------------------------------------------------------------------------------------------- 5.5.5.1:1035 No-lookup 10.0.0.0:1035 UDP 9 5.5.5.1:1025 No-lookup 10.0.0.0:1025 TCP 14 5.5.5.1:1025 No-lookup 10.0.0.0:1025 UDP 14 5.5.5.1:1033 No-lookup 10.0.0.0:1033 UDP 9 5.5.5.2:5033 No-lookup 10.0.0.1:6000 UDP 9 5 endpoint reservations found # tmsh run util lsndb list all LSN Client Connections Client Connections ------------------------------------------------------------------------------------------- 0 client with 0 connection found. LSN Persistence Entries Client Translation TTL ------------------------------------------------------------------------------------------- 0 persist entries found. LSN port block allocations Client Port block TTL ------------------------------------------------------------------------------------------- 0 port block entries found. LSN Inbound Mapping Entries Translation Subscriber ID Client DS-Lite tunnel Proto Age ------------------------------------------------------------------------------------------- 0 inbound mappings found. LSN Endpoint Reservations Translation Subscriber ID Client DS-Lite tunnel Proto Age ------------------------------------------------------------------------------------------- 5.5.5.1:1035 No-lookup 10.0.0.0:1035 UDP 9 5.5.5.1:1025 No-lookup 10.0.0.0:1025 TCP 14 5.5.5.1:1025 No-lookup 10.0.0.0:1025 UDP 14 5.5.5.1:1033 No-lookup 10.0.0.0:1033 UDP 9 5.5.5.2:5033 No-lookup 10.0.0.1:6000 UDP 9 5 endpoint reservations found PCP Entries Client Translation Proto Lifetime Age ------------------------------------------------------------------------------------------- 0 PCP entries found. # lsndb summary endpoint-reservations -------------------------------------------------------------------------------------------- Summary: LSN Endpoint Reservation Entries Translation Address Client Count ------------------------------------------------------------------------------------------- 5.5.5.1 4 5.5.5.2 1 Total: 5
Overview: Using the RTSP ALG Profile to Stream Media
The Real Time Streaming Protocol (RTSP) application layer gateway (ALG) profile enables you to
establish streaming multimedia sessions between a client and a server. You can stream
multimedia sessions by configuring an LSN pool, configuring an RTSP profile, and then
assigning the LSN pool and RTSP profile to a virtual server. The RTSP protocol is described in
RFC 2326.
About the RTSP ALG profile
The
Real Time Streaming Protocol
(RTSP) profile enables you to stream multimedia
content between a client and server, using RTSP connections over TCP. The RTSP application layer
group (ALG) supports the RTSP protocol's control channel to an RTSP server, through which the
client requests a file for the server to stream (and controls the streaming of that file with
commands like play or pause). The client can request streaming over UDP and provide two listening
ports for the server response. The RTSP server responds with a Real-Time Transport Protocol (RTP)
data channel port, to stream the requested file, and a Real-Time Control Protocol (RTCP) control
channel port, which provides a stream description and status. You can specify RTP and RTCP port numbers in the RTSP profile, which only apply
when a client connects to a Windows Media server. If you configure RTP and RTCP port numbers,
both values must be nonzero.
You can configure the RTSP profile settings, as needed.
In this example, an LSN pool is configured with a translation IP address and prefix length of
10.33.1.0/24
. The virtual server is configured with an RTSP control port
using a wildcard address and a specific port: 0.0.0.0:554
. The configured
translation mode uses the values of the respective port range.Translation mode | Port range |
---|---|
NAPT | 2000-3000 |
DNAT | 2000-2200 |
PBA | 2000-2150 |
Creating an LSN pool
The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
- On the Main tab, click.The LSN Pool List screen opens.
- ClickCreate.
- In theNamefield, type a unique name.
- In the Configuration area, for thePersistence Modesetting, selectAddressorAddress Port.
- For theMember Listsetting, type an address and a prefix length in theAddress/Prefix Lengthfield, and clickAdd.If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix10.10.10.0/24overlaps10.10.10.0/23.
- ClickFinished.
Creating an RTSP profile
You can configure a real time streaming protocol (RTSP) profile on the BIG-IP system that streams multimedia content between a client and
server.
- On the Main tab, click.The RTSP screen opens and displays a list of available RTSP ALG profiles.
- ClickCreate.
- Type a name for the profile.
- From theParent Profilelist, select a parent profile.
- Select theCustomcheck box.
- In theRTP Portfield, type the port number that a Microsoft Media Services server uses. The default is0.You can specify Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) port numbers in the RTSP profile, which only apply when a client connects to a Windows Media server. If you configure RTP and RTCP port numbers, both values must be nonzero.
- In theRTCP Portfield, type the port number that a Microsoft Media Services server uses. The default is0.You can specify Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) port numbers in the RTSP profile, which only apply when a client connects to a Windows Media server. If you configure RTP and RTCP port numbers, both values must be nonzero.
- ClickFinished.
An RTSP profile is configured on the BIG-IP system that
streams multimedia content between a client and server.
Configuring a CGNAT
iRule
You create iRules to automate traffic forwarding
for XML content-based routing. When a match occurs, an iRule event is triggered, and the
iRule directs the individual request to an LSN pool, a node, or virtual
server.
- On the Main tab, click.The iRule List screen opens.
- ClickCreate.
- In theNamefield, type a 1 to 31 character name, such ascgn_https_redirect_iRule.
- In theDefinitionfield, type the syntax for the iRule using Tool Command Language (Tcl) syntax.For complete and detailed information about iRules syntax, see the F5 Networks DevCentral web site (http://devcentral.f5.com).
- ClickFinished.
You now have an iRule to use with a CGNAT virtual server.
Creating a virtual server using an RTSP ALG profile
Virtual servers are matched based on source (client) addresses. Here are the steps
to define a virtual server that references an RTSP profile and LSN pool.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- From theTypelist, retain the default settingStandard.
- For theDestination Address/Masksetting, confirm that theHostbutton is selected, and type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- In theService Portfield, type554for the service.
- From theProtocollist, selectTCP.
- From theProtocol Profile (Client)list, select a predefined or user-defined TCP profile.
- From theProtocol Profile (Server)list, select a predefined or user-defined TCP profile.
- From theRTSP Profilelist, select an RISP ALG profile for the virtual server to use.
- For theLSN Poolsetting, select the pool that this server will draw on for addresses.
- Locate the Resources area of the screen; for theRelated iRulessetting, from theAvailablelist, select the name of the iRule that you want to assign and move the name to theEnabledlist.This setting applies to virtual servers that reference a profile for a data channel protocol, such as FTP or RTSP.
- ClickFinished.
The custom CGNAT virtual server appears in the CGNAT Virtual Servers list.
Creating an RTSP ALG logging profile
You can create an ALG logging profile, and associate it with one or more RTSP ALG profiles,
to allow you to configure logging options for various events that apply to high-speed logging (HSL) destinations. A logging profile decreases the need to maintain a number of customized profiles where the events are very similar.
- On the Main tab, click.The ALG logging profiles screen opens.
- ClickCreate.The New ALG Logging Profile screen opens.
- In theNamefield, type a unique name for the logging profile.
- From theParent Profilelist, select a profile from which the new profile inherits properties.
- For the Log Settings area, select theCustomcheck box.
- For the Log Settings area, selectEnabledfor the following settings, as necessary.SettingDescriptionCSV FormatGenerates log entries in comma-separated-values (csv) format.Start Control ChannelGenerates event log entries at the start of a control channel connection for an ALG client.End Control ChannelGenerates event log entries at the end of a control channel connection for an ALG client.Start Data ChannelGenerates event log entries at the start of a data channel connection for an ALG client.End Data ChannelGenerates event log entries at the end of a data channel connection for an ALG client.Inbound TransactionGenerates event log entries of ALG messages triggered by an inbound connection to the BIG-IP system.Enabling theCSVcheck box affects splunk logs because IP addresses are shown asip,port,rtdominstead ofip%rtdom:port. Do not mix log types and only use standard syslog formats.
- ClickFinished.
Configuring an RTSP
ALG profile
You can associate an RTSP ALG profile with a log
publisher and logging profile that the BIG-IP system uses to send log messages to a
specified destination.
- On the Main tab, click.The RTSP screen opens and displays a list of available RTSP ALG profiles.
- Click the name of an RTSP profile.
- In the Log Settings area, from theLog Publisherlist, select the log publisher the BIG-IP system uses to send log messages to a specified destination.If you configure a log publisher, you must also configure a Logging Profile.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb variable tofalse.
- From theLogging Profilelist, select the logging profile the BIG-IP system uses to configure logging options for various ALG events.If you configure a Logging Profile, you must also configure a Log Publisher.
- ClickFinished.
Overview: Using the PPTP ALG profile to create a VPN tunnel
The point-to-point tunneling protocol (PPTP) profile enables you to configure the BIG-IP system to support a secure virtual private network (VPN) tunnel
that forwards PPTP control and data connections. You can create a secure VPN tunnel by
configuring a PPTP Profile, and then assigning the PPTP profile to a virtual server. The PPTP
protocol is described in RFC 2637.
You cannot combine or use the PPTP
Profile with another profile other than a TCP Profile. The PPTP Profile must be used
separately and independently.
About the PPTP ALG profile
With the
point-to-point tunneling protocol
(PPTP) profile, you can configure the
BIG-IP system to support a secure virtual private network (VPN)
tunnel. A PPTP application layer gateway (ALG) forwards PPTP client control and data
connections through the BIG-IP system to PPTP servers, and provides source address translation
that allows multiple clients to share a single translation address. A PPTP client is also known as PPTP Access
Concentrator (PAC). PPTP servers are also known as PPTP Network Servers (PNSs).
The PPTP profile defines a Transmission Control Protocol (TCP) control connection and a data
channel through a PPTP Generic Routing Encapsulation (GRE) tunnel., This manages the PPTP
tunnels through CGNAT for NAT44 and DS-Lite. It also manages all translation modes, including
Network Address Port Translation (NAPT), Deterministic, and Port Block Allocation (PBA)
modes.
PPTP control channels
The BIG-IP system proxies PPTP control channels as normal TCP connections. The PPTP profile
translates outbound control messages, which contain Call Identification numbers (Call IDs)
that match the port that is selected on the outbound side. Subsequently, for inbound control
messages containing translated Call IDs, the BIG-IP system restores the original client Call
ID. You can use a packet tracer to observe this translation on the subscriber side or on the
Internet side. You can also use iRules® to evaluate and manage any
headers in the PPTP control channel.
PPTP GRE data channels
The BIG-IP system manages the translation for PPTP GRE data channels in a manner similar to
that of control channels. The BIG-IP system replaces the translated Call ID from the Key
field of the GRE header with the inbound client's Call ID. You can use a packet tracer to
observe this translation, as well.
Log messages
With the PPTP profile, you can configure Log Settings, specifically the Publisher Name
setting, which logs the name of the log publisher, and the Include Destination IP setting,
which logs the host IP address of the PPTP server, for each call establishment, call
failure, and call teardown.
If a client, for example a
personal computer (PC) or mobile phone, attempts to create a second concurrent call, then an
error message is logged and sent to the client.
PPTP profile log example
This topic includes examples of the elements that comprise a typical log
entry.
Description of PPTP log messages
PPTP log messages include several elements of interest. The following examples describe
typical log messages.
"Mar 1 18:46:11:PPTP CALL-REQUEST id;0 from;10.10.10.1 to;20.20.20.1 nat;30.30.30.1 ext-id;32456" "Mar 1 18:46:11:PPTP CALL-START id;0 from;10.10.10.1 to;20.20.20.1 nat;30.30.30.1 ext-id;32456" "Mar 1 18:46:11:PPTP CALL-END id;0 reason;0 from;10.10.10.1 to;20.20.20.1 nat;30.30.30.1 ext-id;32456"
Information Type | Example Value | Description |
---|---|---|
Timestamp | Mar 1 18:46:11 | The time and date that the system logged the event message. |
Transformation mode | PPTP | The logged transformation mode. |
Command | CALL-REQUEST , CALL-START ,
CALL-END | The type of command that is logged. |
Client Call ID | id;0 | The client Call ID received from a subscriber. |
Client IP address | from;10.10.10.1 | The IP address of the client that initiated the connection. |
Reason | reason;0 | A code number that correlates the reason for terminating the connection. The
following reason codes apply:
|
Server IP address | to;20.20.20.1 | The IP address of the server that established the connection. If
Include Destination IP is set to Disabled, then the Server IP address uses the value of
0.0.0.0 . |
NAT | nat;30.30.30.1 | The translated IP address. |
Translated client Call ID | ext-id;32456 | The translated client Call ID from the GRE header of the PPTP call. |
Creating an LSN pool
The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
- On the Main tab, click.The LSN Pool List screen opens.
- ClickCreate.
- In theNamefield, type a unique name.
- In the Configuration area, for thePersistence Modesetting, selectAddressorAddress Port.
- For theMember Listsetting, type an address and a prefix length in theAddress/Prefix Lengthfield, and clickAdd.If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix10.10.10.0/24overlaps10.10.10.0/23.
- ClickFinished.
Creating a PPTP profile
You can configure a point-to-point tunneling protocol (PPTP) profile on the BIG-IP system to support a secure virtual private network (VPN)
tunnel that forwards PPTP control and data connections, and logs related
messages.
- On the Main tab, click.The PPTP screen opens and displays a list of available PPTP ALG profiles.
- ClickCreate.
- Type a name for the profile.
- From theParent Profilelist, select a parent profile.
- Select theCustomcheck box.
- From thePublisher Namelist, select a log publisher for high-speed logging of messages.IfNoneis selected, the BIG-IP system uses the default syslog.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb variable tofalse.
- From theInclude Destination IPlist, select whether to include the PPTP server's IP address in log messages.EnabledIncludes the PPTP server's IP address in log messages for call establishment or call disconnect.DisabledDefault. Includes0.0.0.0as the PPTP server's IP address in log messages for call establishment or call disconnect.
- ClickFinished.
The PPTP profile displays in the ALG Profiles list on the PPTP screen.
Adding a static
route to manage GRE traffic
Perform this task when you want to explicitly add a route for a
destination client that is not on the directly-connected network. Depending on the
settings you choose, the BIG-IP system can forward packets to a specified network
device, or the system can drop packets altogether.
- On the Main tab, click.
- ClickAdd.The New Route screen opens.
- In theNamefield, type a unique user name.This name can be any combination of alphanumeric characters, including an IP address.
- In theDescriptionfield, type a description for this route entry.
- In theDestinationfield, type the destination IP address for the route.
- In theNetmaskfield, type the network mask for the destination IP address.
- From theResourcelist, specify the method through which the system forwards packets:Use GatewaySelect this option when you want the next hop in the route to be a network IP address. This choice works well when the destination is a pool member on the same internal network as this gateway address.Use PoolSelect this option when you want the next hop in the route to be a pool of routers instead of a single next-hop router. If you select this option, verify that you have created a pool on the BIG-IP system, with the routers as pool members.Use VLAN/TunnelSelect this option when you want the next hop in the route to be a VLAN or tunnel. This option works well when the destination address you specify in the routing entry is a network address. Selecting a VLAN/tunnel name as the resource implies that the specified network is directly connected to the BIG-IP system. In this case, the BIG-IP system can find the destination host simply by sending an ARP request to the hosts in the specified VLAN, thereby obtaining the destination host’s MAC address.RejectSelect this option when you want the BIG-IP system to reject packets sent to the specified destination.
- In theMTUfield, specify in bytes a maximum transmission unit (MTU) for this route.
- ClickFinished.
A static route is defined to manage GRE traffic to a client.
Creating a virtual server using a PPTP ALG profile
Virtual servers are matched based on source (client) addresses. You define a
virtual server that references the CGNAT profile and the LSN pool.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- From theTypelist, retain the default settingStandard.
- For a network, in theDestination Address/Maskfield, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is0.0.0.0/0, and an IPv6 address/prefix is::/0.
- In theService Portfield, type1723or selectPPTPfrom the list.
- From thePPTP Profilelist, select a PPTP ALG profile for the virtual server to use.
- From theVLAN and Tunnel Trafficlist, selectEnabled on. Then, for theVLANs and Tunnelssetting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from theAvailablelist to theSelectedlist.
- For theLSN Poolsetting, select the pool that this server will draw on for translation addresses.
- ClickFinished.
The custom CGNAT virtual server appears in the CGNAT Virtual Servers
list.
Overview: Configuring IPsec ALG with
IKE
You can configure CGNAT IPsec application layer gateway (ALG) functionality with Internet Key
Exchange (IKE) security for LSN source address translation. A typical IPsec ALG configuration
includes a wildcard virtual server listening on Internet Security Association and Key Management
Protocol (ISAKMP) port 500, using IPsec tunnel mode. When the BIG-IP system receives the first
IKE packet, it picks a translation address, and, after successfully completing the IKE
negotiation, creates the IKE and IPsec flows.
Virtual Server Configuration | Setting |
---|---|
Service Port | 500 (ISAKMP ) |
Protocol | UDP |
IPsecALG Profile | Default ipsecalg profile, or custom IPsecALG profile |
Source Address Translation | LSN |
LSN pool | One of the following LSN pool modes applies:
The BIG-IP system must map a different translation address to each subscriber when two or
more subscribers connect to the same server. However, if each subscriber connects to a
different server, then each subscriber can use the same translation address, because the
server IP address distinguishes the traffic. If the pool of
translation addresses is exhausted when a new subscriber attempts to initiate an IKE
exchange with a server, the BIG-IP system logs an error and drops the IKE traffic from the
second client. |
About negotiation of
security associations
The way to dynamically negotiate security associations is to configure the
Internet Key Exchange (IKE) protocol, which is included in the IPsec protocol suite. When you
configure the
IKE protocol
, two IPsec tunnel endpoints (IKE
peers) open a secure channel using an ISAKMP security association (ISAKMP-SA) to initially
negotiate the exchange of peer-to-peer authentication data. This exchange is known as Phase 1 negotiation
.After Phase 1 is complete and the secure channel is established,
Phase 2 negotiation
begins, in which the IKE peers dynamically
negotiate the authentication and encryption algorithms to use to secure the payload. Without IKE,
the system cannot dynamically negotiate these security algorithms. About the IPSecALG profile
The
IPSecALG profile
provides network address translation and flow management for
Internet Protocol Security (IPSec) and Internet Key Exchange (IKE) flows. This profile enables you to specify an idle timeout value, where a connection is idle for the
specified period before becoming eligible for deletion. You can also limit the number of pending
Internet Key Exchange (IKE) connections, a maximum number of unacknowledged connections that a
client can have, before being denied further requests, to prevent a single client from flooding
all of the connections while establishing the connections. Additionally, you can apply an initial
connection timeout value, which determines the maximum number of seconds to wait for a response
from the server for an IKE or IPsec request.
Finally, you can configure a log publisher and logging profile for IPsec ALG functionality, as
necessary, through the IPsecALG profile.
About IPsec Tunnel
mode
Tunnel mode
causes the IPsec protocol to
encrypt the entire packet (the payload plus the IP header). This encrypted packet is then
included as the payload in another outer packet with a new header. Traffic sent in this mode is
more secure than traffic sent in Transport mode, because the original IP header is encrypted
along with the original payload. Creating a log
publisher
Create a log publisher to specify where the BIG-IP
system sends alert messages.
If you
want alerts sent to a remote syslog server, you need to create two log publishers,
one for the local syslog server and one for the remote syslog
server.
- On the Main tab, click.The Log Publishers screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this publisher.
- For theDestinationssetting, selectlocal-syslogfrom theAvailablelist, and click<<to move the destination to theSelectedlist.
- ClickFinished.The list of Log Publishers appears, showing the Log Publisher you just created.
- If you want to have alerts sent to a remote syslog server, repeat steps 2-5, and at step 4 select the log destination that you created previously from theAvailablelist.
Creating an IPsecALG logging
profile
You can create an ALG logging
profile, and associate it with one or more IPsecALG profiles, to allow you to configure
logging options for various events that apply to high-speed logging (HSL) destinations.
A logging profile decreases the need to maintain a number of customized profiles where
the events are very similar.
- On the Main tab, click.The ALG logging profiles screen opens.
- ClickCreate.The New ALG Logging Profile screen opens.
- In theNamefield, type a unique name for the logging profile.
- From theParent Profilelist, select a profile from which the new profile inherits properties.
- For the Log Settings area, select theCustomcheck box.
- For the Log Settings area, selectEnabledfor the following settings, as necessary.SettingDescriptionCSV FormatGenerates log entries in comma-separated-values (csv) format.Start Control ChannelGenerates event log entries at the start of a control channel connection for an ALG client.End Control ChannelGenerates event log entries at the end of a control channel connection for an ALG client.Start Data ChannelGenerates event log entries at the start of a data channel connection for an ALG client.End Data ChannelGenerates event log entries at the end of a data channel connection for an ALG client.Inbound TransactionGenerates event log entries of ALG messages triggered by an inbound connection to the BIG-IP system.Enabling theCSVcheck box affects splunk logs because IP addresses are shown asip,port,rtdominstead ofip%rtdom:port. Do not mix log types and only use standard syslog formats.
- ClickFinished.
Creating an LSN pool
The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you
can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation
prefixes and parameters. You can configure the following types of LSN pools:
- NAPT
- Deterministic
- PBA
Creating a NAPT LSN pool
- The CGNAT module must be provisioned before LSN pools can be configured.
- Before associating a LSN pool with a log publisher, ensure that at least one log publisher exists on the BIG-IP system.
Large Scale NAT
(LSN) pools are used by the CGNAT module to allow efficient
configuration of translation prefixes and parameters.- On the Main tab, click.The LSN Pool List screen opens.
- ClickCreate.
- In theNamefield, type a unique name.
- In theDescriptionfield, type a description.
- SelectNAPTfor the pool's translationMode.
- ClickFinished.
Your NAPT LSN pool is now ready and you can continue to configure your
CGNAT.
Creating a deterministic LSN pool
The CGNAT module must be provisioned before you can configure LSN pools.
Large Scale NAT
(LSN) pools are used by the CGNAT module to allow efficient
configuration of translation prefixes and parameters.- On the Main tab, click.The LSN Pool List screen opens.
- ClickCreate.
- In theNamefield, type a unique name.
- For theModesetting, selectDeterministicfor the pool's translation.Note that deterministic mode does not supportDS-litetunneling orNAT64.
- From theLog Publisherlist, select the publisher that includes the destinations to which you want to send log messages.
- In the Configuration area, for theMember Listsetting, type an address and a prefix length in theAddress/Prefix Lengthfield, and clickAdd.If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix10.10.10.0/24overlaps10.10.10.0/23.
- For deterministic mode, theBackup Member Listmust have at least one member, so type an address in theAddress/Prefix Lengthfield and clickAdd.
- ClickFinished.
Your deterministic LSN pool is now ready, and you can continue to configure your
CGNAT.
Creating a PBA LSN pool
- The CGNAT module must be provisioned before LSN pools can be configured.
- Before associating a LSN pool with a log publisher, ensure that at least one log publisher exists on the BIG-IP system.
You configure
Large Scale NAT
(LSN) pools for the CGNAT module to use
in allowing efficient configuration of translation prefixes and parameters.- On the Main tab, click.The LSN Pool List screen opens.
- ClickCreate.
- In theNamefield, type a unique name.
- In theDescriptionfield, type a description.
- For theModesetting, selectPBAfor the pool's translation.Note that PBA mode for DS-lite is same as for NAT44, except that all clients behind the DS-Lite tunnel are managed as one subscriber. Port block limits are in accordance with each DS-lite tunnel.
- For thePort Block Allocationsetting, specify your preferred PBA configuration.
- In theBlock Sizefield, type the number of ports designated for a block.
- In theBlock Lifetimefield, type the number of seconds before a port block times out.If you type a timeout other than0, you can also specify aZombie Timeout. ABlock Lifetimevalue that is less than thePersistence Timeoutvalue minimizes the number of zombie port blocks. The default value of0specifies no lifetime limit and indefinite use of the port block.
- In theBlock Idle Timeoutfield, enter the timeout (in seconds) for after the port block becomes idle.Typically, you want to use aBlock Idle Timeoutvalue less than thePersistence Timeoutvalue, to minimize the number of zombie port blocks.
- In theClient Block Limitfield, type the number of blocks that can be assigned to a single subscriber IP address.
- In theZombie Timeoutfield, type the number of seconds before port block times out.Azombie port blockis a timed out port block with one or more active connections. The default value of0specifies no timeout and an indefinite zombie state for the port block, as long as connections remain active. A value other than0specifies a timeout expiration, upon which existing connections are terminated, and the port block is released and returned to the pool.
- In the Configuration area, for theMember Listsetting, type an address and a prefix length in theAddress/Prefix Lengthfield, and clickAdd.
- ClickFinished.
Your PBA LSN pool is now ready, and you can continue to configure your
CGNAT.
Creating an IPsecALG profile
You can associate an IPsecALG
profile with a log publisher and logging profile that the BIG-IP
system uses to send log messages to a specified destination.
- On the Main tab, click.The IPsecALG profile list screen opens.
- In theNamefield, type a unique name for the profile.
- From theParent Profilelist, select a parent profile.
- In theIdle Timeoutfield, type number of seconds that a connection is idle before the connection is eligible for deletion.
- In thePending IKE Connection Limitfield, type the maximum number of unacknowledged IKE connections that a client can send, before being denied further requests.
- In theInitial Connection Timeoutfield, type the maximum number of seconds to wait for a response from the server for the IKE or IPsec request.
- In the Log Settings area, from theLog Publisherlist, select the log publisher the BIG-IP system uses to send log messages to a specified destination.If you configure a log publisher, you must also configure a Logging Profile.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb variable tofalse.
- From theLogging Profilelist, select the logging profile the BIG-IP system uses to configure logging options for various ALG events.If you configure a Logging Profile, you must also configure a Log Publisher.
- ClickFinished.
Creating an IPsec ALG virtual server for
IKE
You can define a virtual server that
applies an IPsecALG profile and LSN pool to match IPsec ALG source (client) addresses
for address translation.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDescriptionfield, type a description for the virtual server.
- From theTypelist, selectStandard.
- In theSource Addressfield, type0.0.0.0/0for the source address and prefix length.
- In theDestination Address/Maskfield:
- If you want to specify a single IP address, confirm that theHostbutton is selected, and type the IP address in CIDR format.
- If you want to specify multiple IP addresses, select theAddress Listbutton, and confirm that the address list that you previously created appears in the box.
The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address or addresses for this field must be on the same subnet as the external self-IP address. - In theService Portfield, type500or selectISAKMPfrom the list.
- From theConfigurationlist, selectAdvanced.
- From theProtocollist, selectUDP.
- From theIPsecALG Profilelist, select a profile.
- From theLSN Poollist, select an LSN pool.
- ClickFinished.
A virtual server is configured to use
an IPsecALG profile and LSN pool to match IPsec ALG source (client) addresses for
address translation.
Overview: Configuring IPsec ALG with manual
keys
You can configure an IPsec application layer gateway (ALG) functionality with manual keys with
network address translation. A typical IPsec ALG configuration includes an IPsec ESP (protocol
50) virtual server listening on port 0 (wildcard) using IPsec tunnel mode.
This
configuration does not provide NAT-T address translation. If you need to provide NAT-T address
translation, a separate virtual server configured to use NAT-T address translation is required.
Virtual Server Configuration | Setting |
---|---|
Service Port | 0 (* All Ports ) |
Protocol |
|
IPsecALG Profile | Default ipsecalg profile, or custom IPsecALG profile |
About IPsec Tunnel
mode
Tunnel mode
causes the IPsec protocol to
encrypt the entire packet (the payload plus the IP header). This encrypted packet is then
included as the payload in another outer packet with a new header. Traffic sent in this mode is
more secure than traffic sent in Transport mode, because the original IP header is encrypted
along with the original payload. Creating a log
publisher
Create a log publisher to specify where the BIG-IP
system sends alert messages.
If you
want alerts sent to a remote syslog server, you need to create two log publishers,
one for the local syslog server and one for the remote syslog
server.
- On the Main tab, click.The Log Publishers screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this publisher.
- For theDestinationssetting, selectlocal-syslogfrom theAvailablelist, and click<<to move the destination to theSelectedlist.
- ClickFinished.The list of Log Publishers appears, showing the Log Publisher you just created.
- If you want to have alerts sent to a remote syslog server, repeat steps 2-5, and at step 4 select the log destination that you created previously from theAvailablelist.
Creating an IPsecALG logging
profile
You can create an ALG logging
profile, and associate it with one or more IPsecALG profiles, to allow you to configure
logging options for various events that apply to high-speed logging (HSL) destinations.
A logging profile decreases the need to maintain a number of customized profiles where
the events are very similar.
- On the Main tab, click.The ALG logging profiles screen opens.
- ClickCreate.The New ALG Logging Profile screen opens.
- In theNamefield, type a unique name for the logging profile.
- From theParent Profilelist, select a profile from which the new profile inherits properties.
- For the Log Settings area, select theCustomcheck box.
- For the Log Settings area, selectEnabledfor the following settings, as necessary.SettingDescriptionCSV FormatGenerates log entries in comma-separated-values (csv) format.Start Control ChannelGenerates event log entries at the start of a control channel connection for an ALG client.End Control ChannelGenerates event log entries at the end of a control channel connection for an ALG client.Start Data ChannelGenerates event log entries at the start of a data channel connection for an ALG client.End Data ChannelGenerates event log entries at the end of a data channel connection for an ALG client.Inbound TransactionGenerates event log entries of ALG messages triggered by an inbound connection to the BIG-IP system.Enabling theCSVcheck box affects splunk logs because IP addresses are shown asip,port,rtdominstead ofip%rtdom:port. Do not mix log types and only use standard syslog formats.
- ClickFinished.
Creating an LSN pool
The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you
can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation
prefixes and parameters. You can configure the following types of LSN pools:
- NAPT
- Deterministic
- PBA
Creating a NAPT LSN pool
- The CGNAT module must be provisioned before LSN pools can be configured.
- Before associating a LSN pool with a log publisher, ensure that at least one log publisher exists on the BIG-IP system.
Large Scale NAT
(LSN) pools are used by the CGNAT module to allow efficient
configuration of translation prefixes and parameters.- On the Main tab, click.The LSN Pool List screen opens.
- ClickCreate.
- In theNamefield, type a unique name.
- In theDescriptionfield, type a description.
- SelectNAPTfor the pool's translationMode.
- ClickFinished.
Your NAPT LSN pool is now ready and you can continue to configure your
CGNAT.
Creating a deterministic LSN pool
The CGNAT module must be provisioned before you can configure LSN pools.
Large Scale NAT
(LSN) pools are used by the CGNAT module to allow efficient
configuration of translation prefixes and parameters.- On the Main tab, click.The LSN Pool List screen opens.
- ClickCreate.
- In theNamefield, type a unique name.
- For theModesetting, selectDeterministicfor the pool's translation.Note that deterministic mode does not supportDS-litetunneling orNAT64.
- From theLog Publisherlist, select the publisher that includes the destinations to which you want to send log messages.
- In the Configuration area, for theMember Listsetting, type an address and a prefix length in theAddress/Prefix Lengthfield, and clickAdd.If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix10.10.10.0/24overlaps10.10.10.0/23.
- For deterministic mode, theBackup Member Listmust have at least one member, so type an address in theAddress/Prefix Lengthfield and clickAdd.
- ClickFinished.
Your deterministic LSN pool is now ready, and you can continue to configure your
CGNAT.
About VLANs with identical names and different tags
Sometimes a host administrator might publish a VLAN to a guest, but the guest administrator has
already created, or later creates, a VLAN with the same name but with a different VLAN tag. In
this case, the guest VLAN always overrides the host VLAN. The VLAN can still exist on the host
(for other guests to subscribe to), but it is the guest VLAN that is used.
Whenever host and guest VLANs have the same names but different tags, traffic cannot flow between
the identically-named VLANs at Layer 2. That is, when the tags do not match, the underlying Layer
2 infrastructure of the VLANs does not match, thereby preventing the host from reaching the
guest.
The example here shows the
tmsh
command sequence for creating two separate VLANs with the same names and different tags, and the resulting traffic flow issue.# While logged into the guest, create a VLAN: [root@G1:/S1-green-P:Active:Standalone] config #tmsh create net vlan# Show that no VLANs exist on the host: [root@host_210:/S1-green-P:Active:Standalone] config #VLAN_Atag1000tmsh list net vlan all[root@host_210:/S1-green-P:Active:Standalone] config # # On the host, create a VLAN with the same name as the guest VLAN but with a unique tag on the host: [root@host_210:/S1-green-P:Active:Standalone] config #tmsh create net vlan# Publish the host VLAN to the guest: [root@host_210:/S1-green-P:Active:Standalone] config #VLAN_Atag1001tmsh modify vcmp guest# Within the guest, show that the guest still has its own VLAN only, and not the VLAN published from the host: [root@G1:/S1-green-P:Active:Standalone] config #guest1vlans add {VLAN_A}tmsh list net vlan allnet vlan VLAN_A { if-index 192 tag 1000 }# Within the guest, create a self IP address for the VLAN: [root@G1:/S1-green-P:Active:Standalone] config #tmsh create net self 10.1.1.1/24 vlan# On the host, create a self IP address for the identically-named VLAN: [root@host_210:/S1-green-P:Active:Standalone] config #VLAN_Atmsh create net self 10.1.1.2/24 vlan# From the host, open a connection to the guest, and notice that because the two VLANs have different tags, the connection fails: [root@host_210:/S1-green-P:Active:Standalone] config #VLAN_Aping -c2 10.1.1.1PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data. From 10.1.1.2 icmp_seq=1 Destination Host Unreachable From 10.1.1.2 icmp_seq=2 Destination Host Unreachable --- 10.1.1.1 ping statistics --- 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 3000ms pipe 2
Configuring an
IPsecALG profile
You can associate an IPsecALG profile with a log
publisher and logging profile that the BIG-IP system uses to send log messages to a
specified destination.
- On the Main tab, click.The IPsecALG screen opens and displays a list of available IPsecALG profiles.
- Click the name of an IPsecALG profile.
- In theIdle Timeoutfield, type number of seconds that a connection is idle before the connection is eligible for deletion.
- In thePending IKE Connection Limitfield, type the maximum number of unacknowledged IKE connections that a client can send, before being denied further requests.
- In theInitial Connection Timeoutfield, type the maximum number of seconds to wait for a response from the server for the IKE or IPsec request.
- In the Log Settings area, from theLog Publisherlist, select the log publisher the BIG-IP system uses to send log messages to a specified destination.If you configure a log publisher, you must also configure a Logging Profile.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb variable tofalse.
- From theLogging Profilelist, select the logging profile the BIG-IP system uses to configure logging options for various ALG events.If you configure a Logging Profile, you must also configure a Log Publisher.
- ClickFinished.
Creating an IPsec ALG virtual server for
manual keys
You can define a virtual server that
applies an IPsecALG profile and LSN pool to match IPsec ALG source (client) addresses
for address translation.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDescriptionfield, type a description for the virtual server.
- From theTypelist, selectStandard.
- In theSource Addressfield, type0.0.0.0/0for the source address and prefix length.
- In theDestination Address/Maskfield:
- If you want to specify a single IP address, confirm that theHostbutton is selected, and type the IP address in CIDR format.
- If you want to specify multiple IP addresses, select theAddress Listbutton, and confirm that the address list that you previously created appears in the box.
The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address or addresses for this field must be on the same subnet as the external self-IP address. - In theService Portfield, type50
- From theConfigurationlist, selectAdvanced.
- From theProtocollist, selectIPsec ESP.
- From theIPsecALG Profilelist, select a profile.
- From theLSN Poollist, select an LSN pool.
- ClickFinished.
A virtual server is configured to use
an IPsecALG profile and LSN pool to match IPsec ALG source (client) addresses for
address translation.