Manual Chapter : About AFM NAT Translation Objects

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.0
Manual Chapter

About AFM NAT Translation Objects

AFM NAT translation objects

AFM NAT translation objects define the NAT mapping types, IP addresses, and service ports used to translate and map client connections between networks. AFM uses two types of translation objects; source translation and destination translation. Once the necessary source and destination translation objects are created, you can associate them with a NAT policy.

AFM NAT source translation objects

AFM NAT source translation objects contain a variety of static and dynamic NAT and PAT mapping types that translate the source IPv4 and IPv6 addresses and service ports of packets traversing the BIG-IP system.
Property
Description
Name
A unique name for the source translation.
Description
Specifies descriptive text that identifies the source translation item.
Type
  • Static-NAT
    - Static 1:1 IP address mapping between the source and destination. An equal number of internal and external IP addresses must be specified. Ports are not translated.
  • Static-PAT
    - Static 1:1 IP address and 1:1 service port mapping. This type allows multiple clients to access remote networks using a single IP address. Also known as NAPT.
  • Dynamic-PAT
    - Dynamic IP address mapping using groups, or pools of IP addresses and service ports. A wide variety of additional configuration and mapping options becomes available when you select this type. For detailed information, refer to the next section,
    AFM Dynamic PAT options
    .
Addresses
Specifies the translation source IPv4 or IPv6 addresses available for allocation. All public source addresses come from this pool of IP address subnets. 
Ports
Specifies the translation source service port or range of service ports available for allocation. All public source ports come from this pool of service ports. This option is not available when Static-NAT is the selected translation mode.
ICMP Echo
Enables or disables responses to ICMP Echo requests for translated source IP addresses.
Proxy ARP
Specifies whether AFM responds to ARP requests for translated source IP addresses.
  • Enabled
    - AFM responds to ARP requests with the best match Self IP interface MAC address.
  • Disabled
    - AFM does not respond, and will drop ARP requests.
Route Advertisement
Specifies whether AFM advertises routes for translated source IP addresses using the BIG-IP system's advanced routing modules (enabled), or not (disabled).
Egress Interface
Lists interfaces over which source translation may or may not be allowed.
  • Enabled on
    - Source address translation is allowed on the selected interface or tunnel.
  • Disabled on
    - Source address translation is prohibited on the selected interface or tunnel.

AFM Dynamic PAT options

When you select the dynamic PAT option as the source translation type, a variety of additional NAT mapping options become available.
Property
Description
PAT Mode
Specifies which type of translation mapping is performed. Available options are:
  • Deterministic
    (DNAT) - A reversible translation method. A given client address and port pair always translates to a particular public address and port specified in the source translation object. This method has the following restrictions:
    • It is only available for NAT44 translations.
    • It does not support connections through DS-Lite tunnels.
    • Connections must be received over a VLAN with the
      CMP Hash
      option set to
      Source Address
      .
    • Egress traffic must be over a VLAN with the
      CMP Hash
      option set to
      Destination Address
      .
    • NAT rules must have a
      Source
      option set to an IP address subnet that contains fewer than 231 addresses. For example, the
      Source
      cannot be 0.0.0.0/0
  • NAPT
    (Network Address Port Translation) - Assigns translation IP addresses and service ports in round-robin fashion. The algorithm first cycles through the translation addresses and then through translation ports specified in the source translation object.
  • Port Block Allocation
    (PBA) - assigns blocks of the translation addresses and ports to individual clients. All client connections are restricted to the allocated port blocks. Only block allocations and de-allocations are logged in order to reduce the volume of logs. This method has the following restrictions:
    • Connections must be received over a VLAN with the
      CMP Hash
      option set to
      Source Address
      .
    • Egress traffic must be over a VLAN with the
      CMP Hash
      option set to
      Destination Address
      .
Port Block Allocation options
These options are available when
PAT Mode
is set to
Port Block Allocation
.
  • Block Idle Timeout
    - Configures the idle time period, after the last connection using the block has completed, that block assignment expires. The default value is 360 seconds.
  • Block Life Time
    - Configures the timeout after which the block is no longer used for new port allocations. The block becomes a zombie block. The default is 0, which equates to infinite.
  • Block Size
    - Configures the number of ports in a block. The default value is 64.
  • Client Block Limit
    - Configures the number of blocks that can be assigned to a single client IP address. The default value is 1.
  • Zombie Timeout
    - Configures the timeout after which connections using the zombie block are killed. After connections are killed, the zombie block is freed after Block Idle Timeout period. This parameter is unused unless the Block Life Time option is set. The default value is 0, which equates to infinite.
  • Periodic Refresh Log
    - Log additional periodic block status messages to improve subscriber traceability. This option is particularly helpful for identifying log-lived subscriber allocations. The default value is 0, or disabled.
Backup Addresses
Available when
PAT Mode
is set to
Deterministic
. Specify additional backup addresses that may be used as translation addresses if DNAT mode fails deterministic translation. When this occurs, the fallback type is set to NAPT mode.
Exclude Addresses
Specifies the set of addresses excluded from translation IP addresses available in the pool.
Mode
Specifies the mapping mode for persisting translation entries, or how to preserve public IP addresses for clients from session to session. Available options are:
  • Address Pooling Paired
    - Attempts to keep the IP address persistent, but not necessarily the port. If a client's private IP address:port combination is X:x, its public-side address may be X':a in one session, X':b in the next session X':c in a third session, and so on.
  • Endpoint Independent Mapping
    - Attempts to keep the IP address and port persistent. If a client's private IP address:port combination is X:x, and its public-side address is X':x' in the first session, it remains X':x' in all future sessions. This is referred to as
    Endpoint Independent Mapping
    in RFC 4787. This is the only supported setting for Port Control Protocol (PCP) clients.
  • None
    - Prevents AFM NAT from attempting any IP address or port mapping. An address:port combination of X:x is never guaranteed to have the same public-side address or port in two sessions.
Timeout
Specifies the mapping timeout period after the most-recent session where address:port X:x translated to X':x' on the public side, a timer begins. If the timer expires before X:x has another session, X' or x' may be used as the public side of another address:port. Use this parameter to set the timeout in seconds for addre
InBound Mode
Modifies the inbound-connection mode for incoming connections to translation endpoints. A translation endpoint is the public-side address and port (X':x') for a private-side address (X:x). You can enable the following algorithms for managing inbound co
  • Endpoint Independent Filtering
    - Creates inbound mappings automatically from outbound traffic, and allows inbound connections. Consider an outbound mapping from X:x to X':x'. If a connection comes from X:x through X':x', the BIG-IP system automatically creates a reverse mapping from X':x' back to X:x. A public-side station can respond through the X':x' address. This allows AFM to provide Endpoint Independent Filtering (EIF) as defined in section 5 of RFC 4787.
  • Explicit
    - Allows inbound connections if and only if there exists an inbound mapping to translate public-side source address X':x' to client's private address X:x. Clients can create inbound mappings using iRules or Port Control Protocol (PCP).
  • None
    - Disables inbound connections to translation end-points (X':x'). If there is a mapping of X (private-side IP) to X' (public-side IP), connections can only go out from X through X'. If a public-side recipient tries to answer at the client's public-side X' address, the BIG-IP system does not map X' back to X, and the inbound connection is dropped. This setting does not support Port Control Protocol (PCP) clients.
Client Connection Limit
This is the maximum number of simultaneous translated connections a client or subscriber is allowed to have.
Hairpin Mode
Enables or disables hairpinning for incoming connections. When a client sends a packet to another client in the same private network, hairpin mode sends the packet directly to the destination client's private address. The BIG-IP system immediately translates the packet's public-side destination address. Rather than going out to the public network and returning later for translation, the packet takes a
hairpin turn
at the BIG-IP device.
NAT Stats Profile
Associate a NAT stats profile.
PCP
A Port Control Protocol (PCP) client can set, or learn, its translated public-side IP address and service port. It can also set the IP address and service port of a third-party client. PCP is defined in RFC 6887. Available options are:
  • Profile
    - Specifies the PCP profile to use for communication with PCP clients. PCP requires a profile and either a self-IP or a Dslite tunnel where clients can send PCP requests. If you remove this profile option, you must also remove the specified self-IP or Dslite tunnel.
  • Dslite
    - Specifies a Dslite tunnel for PCP packets. A Dslite tunnel places each IPv4 packet into the payload of an IPv6 packet. The IPv6 packet carries the IPv4 packet between customer equipment and the BIG-IP system, which then removes the IPv4 packet, uses NAT to translate its IPv4 addresses, and sends it to its destination. You cannot use this property if the PAT mode property is set to Deterministic.
  • Self IP
    - Specifies the PCP server self-IP address for the Large Scale NAT (LSN) pool. The virtual server's clients send their PCP packets to this address. Choose a self-IP address in a VLAN that is reachable by the virtual server's clients.

AFM destination translation objects

AFM NAT destination translation objects contain a variety of NAT modes and options to translate destination IP addresses and service ports of packets traversing the AFM system.
Option
Description
Name
A unique name for the destination translation.
Description
Specifies descriptive text that identifies the destination translation item.
Type
Specifies the type of destination translation to use. The available options are:
  • Static-NAT
    - Provides 1:1 static IP address mapping between the source and destination. An equal number of internal and external IP addresses must be specified. Ports are not translated
  • Static-PAT
    - Provides 1:1 static IP address and 1:1 static port mapping. This type allows multiple clients to access remote networks using a single IP address. Also known as
    NAPT
    .
Addresses
Specifies the translation IPv4 or IPv6 addresses available for client allocation. This is a list of IP addresses and their subnet lengths. All addresses come from these IP address subnets.
Ports
Specifies service port or range of service ports used for destination translation. This option is not available when
Static-NAT
is selected.