Manual Chapter : Common elements for CGNAT and LSN tasks

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 15.0.0

BIG-IP Analytics

  • 15.0.0

BIG-IP AFM

  • 15.0.0

BIG-IP PEM

  • 15.0.0

BIG-IP ASM

  • 15.0.0

BIG-IP APM

  • 15.0.0

BIG-IP LTM

  • 15.0.0
Manual Chapter

Common elements for CGNAT and LSN tasks

  1. On the Main tab, click
    Carrier Grade NAT
    Virtual Servers
    .
    The Virtual Servers list screen opens.
  2. Click
    Virtual Servers
  3. On the Main tab, click
    Carrier Grade NAT
    Virtual Servers
    Virtual Address List
    The Virtual Address List screen opens.
  4. On the Main tab, click
    Carrier Grade NAT
    Virtual Servers
    Statistics
    Virtual Server
    The Carrier Grade NAT screen opens.
  5. Select the
    Custom
    check box.
  6. Click
    Create
    .
  7. Click
    Delete
    .
  8. Click
    Finished
    .
  9. In the Settings area, select the
    Allow FTPS
    check box.
  10. On the Main tab, click
    Carrier Grade NAT
    ALG Profiles
    FTP
    .
    The FTP screen opens and displays a list of available FTP ALG profiles.
  11. On the Main tab, click
    Carrier Grade NAT
    ALG Profiles
    SIP
    .
    The SIP screen opens and displays a list of available SIP ALG profiles.
  12. On the Main tab, click
    Carrier Grade NAT
    ALG Profiles
    RTSP
    .
    The RTSP screen opens and displays a list of available RTSP ALG profiles.
  13. On the Main tab, click
    Carrier Grade NAT
    ALG Profiles
    PPTP
    .
    The PPTP screen opens and displays a list of available PPTP ALG profiles.
  14. On the Main tab, click
    Carrier Grade NAT
    ALG Profiles
    IPsecALG
    .
    The IPsecALG screen opens and displays a list of available IPsecALG profiles.
  15. On the Main tab, click
    Carrier Grade NAT
    ALG Profiles
    TFTP
    .
    The TFTP screen opens and displays a list of available TFTP ALG profiles.
  16. On the Main tab, click
    Local Traffic
    Profiles
    Services
    TFTP
    .
    The TFTP screen opens and displays a list of available TFTP ALG profiles.
  17. Type a name for the profile.
  18. In the
    Description
    field, type a description.
  19. From the
    Parent Profile
    list, select a parent profile.
  20. From the
    Publisher Name
    list, select a log publisher for high-speed logging of messages.
    If
    None
    is selected, the BIG-IP system uses the default syslog.
    If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the
    logpublisher.atomic
    db variable to
    false
    .
  21. From the
    Include Destination IP
    list, select whether to include the PPTP server's IP address in log messages.
    Enabled
    Includes the PPTP server's IP address in log messages for call establishment or call disconnect.
    Disabled
    Default. Includes
    0.0.0.0
    as the PPTP server's IP address in log messages for call establishment or call disconnect.
  22. Select the
    Translate Extended
    check box to ensure compatibility between IPv4 and IPv6 clients and servers when using the FTP protocol.
    The default is selected.
  23. Select the
    Inherit Parent Profile
    check box to enable the FTP data channel to inherit the TCP profile used by the control channel. The check box is clear by default.
    If this setting is disabled, the data channel uses FastL4 (BigProto) only.
  24. In the
    Data Port
    field, type a number for an alternate port.
    The default value for the FTP data port is
    20
    .
  25. In the
    Maximum Size (Bytes)
    field, type a number to specify the maximum size, in bytes, for a SIP message.
    The default is
    65535
    bytes.
  26. Select the
    Terminate on BYE
    check box to close a User Datagram Protocol (UDP) connection when a BYE transaction finishes.
    The default is selected.
  27. Clear the
    Terminate on BYE
    check box.
    You must clear the
    Terminate on BYE
    check box for a TCP or UDP connection when the BIG-IP system functions as a SIP proxy, configuring the inbound SNAT and consolidating multiple calls into one server-side connection. You should select the
    Terminate on BYE
    check box to improve performance only for a UDP connection if each client call comes from a unique IP address and no inbound SNATs are configured.
  28. Select the
    Dialog Aware
    check box to gather SIP dialog information, and automatically forward SIP messages belonging to the known SIP dialog.
    The default is cleared.
  29. Select the
    Security
    check box to enable the use of enhanced HSL security checking.
    The default is cleared.
  30. With the
    Dialog Aware
    check box selected, in the
    Community
    field, type a string to indicate whether the SIP virtual server-profile pair belongs to the same SIP proxy functional group.
  31. Configure the
    Insert Via Header
    settings.
    1. From the
      Insert Via Header
      list, select
      Enabled
      to insert a Via header in the forwarded SIP request. The default is
      Disabled
      .
    2. With the
      Insert Via Header
      setting enabled, in the
      User Via
      field type a value that the system inserts as the top Via header in a SIP
      REQUEST
      message.
  32. Select the
    Secure Via Header
    check box to insert a secure Via header in the forwarded SIP request.
    The default is cleared.
  33. Select the
    Insert Record-Route Header
    check box to insert a Record-Route SIP header, which indicates the next hop for the following SIP request messages.
    The default is cleared.
  34. Configure the
    Application Level Gateway
    settings.
    1. From the
      Application Level Gateway
      list, select
      Enabled
      to provide options for defining ALG settings. The default is
      Disabled
      .
    2. From the
      RTP Proxy Style
      list, select one of the following settings.
      RTP Proxy Style
      Description
      Symmetric
      Sends and receives media on the same port.
      Restricted by IP address
      Sends and receives media from specific IP addresses.
      Any Location
      Sends and receives media from any location.
    3. In the
      Dialog Establishment Timeout
      field, type an interval, in seconds, during which the system attempts to establish a peer-to-peer SIP relationship between two user agents, which facilitates sequencing of messages and proper routing of requests between two user agents. The default is
      10
      .
    4. In the
      Registration Timeout
      field, type a time, in seconds, that elapses before the SIP registration process expires. The default is
      3600
      .
    5. In the
      SIP Session Timeout
      field, type an idle time, in seconds, after which the SIP session times out. The default is
      300
      .
    6. In the
      Maximum Media Sessions
      field, type a maximum number of allowable sessions. The default is
      6
      .
    7. In the
      Maximum Sessions Per Registration
      field, type a maximum number of allowable sessions per registration. The default is
      50
      .
    8. In the
      Maximum Registrations
      field, type a maximum number of allowable registrations. The default is
      100
      .
  35. Select the
    SIP Firewall
    check box to indicate that SIP firewall capability is enabled.
    The default is cleared.
  36. In the
    Idle Timeout
    field, type the number of seconds that an RTP connection is idle before the connection is eligible for deletion.
    The default is
    300
    seconds.
  37. In the
    Maximum Header Size
    field, type the maximum size of an RTSP request or response header, in bytes, that the system allows before closing the connection.
    The default is
    4096
    bytes.
  38. In the
    Maximum Queued Data
    field, type the maximum amount of data, in bytes, that the BIG-IP system buffers, before determining that the connection is unusable, and subsequently closing the connection.
    The default value is
    32768
    bytes.
  39. Select the
    Unicast Redirect
    check box to specify that the client can select the destination port for the streamed data. The destination address for the data is the source of the request.
    The default is cleared.
  40. Select the
    Multicast Redirect
    check box to specify, for multicast streams, that the client has permission to supply a different destination IP address for the streamed data.
    The default is cleared.
  41. Select the
    Session Reconnect
    check box to specify that the system persists a resumed control connection to the correct server. Typical clients do not support this behavior.
    The default is cleared.
  42. Select the
    Real HTTP Persistence
    check box to specify that the system automatically persists Real Networks-tunneled RTSP data over HTTP, which is over the RTSP port.
  43. Select the
    Check Source
    check box to specify that the system examines the origin of the message to determine whether the message came from the client or the server. .
    The default is selected.
  44. From the
    Proxy
    list, select an RTSP proxy configuration to associate with the RTSP profile..
    The default is
    None
  45. In the
    Proxy Header
    field, type the value of a header that the system inserts into a
    SETUP
    request. The value of this header is typically information about the client IP address and is read by another RTSP profile. The default is blank.
    The system removes this header from the request prior to sending the request to the server for processing.
  46. In the
    RTP Port
    field, type the port number that a Microsoft Media Services server uses. The default is
    0
    .
    You can specify Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) port numbers in the RTSP profile, which only apply when a client connects to a Windows Media server. If you configure RTP and RTCP port numbers, both values must be nonzero.
  47. In the
    RTCP Port
    field, type the port number that a Microsoft Media Services server uses. The default is
    0
    .
    You can specify Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) port numbers in the RTSP profile, which only apply when a client connects to a Windows Media server. If you configure RTP and RTCP port numbers, both values must be nonzero.
  48. On the Main tab, click
    Carrier Grade NAT
    PCP Profiles
    +
    .
    The New PCP Profile screen opens.
  49. In the
    Idle Timeout
    field, type number of seconds that a connection is idle before the connection is eligible for deletion.
  50. In the
    Pending IKE Connection Limit
    field, type the maximum number of unacknowledged IKE connections that a client can send, before being denied further requests.
  51. In the
    Initial Connection Timeout
    field, type the maximum number of seconds to wait for a response from the server for the IKE or IPsec request.
  52. On the Main tab, click
    Carrier Grade NAT
    LSN Pools
    .
    The LSN Pool List screen opens.
  53. On the Main tab, click
    Carrier Grade NAT
    LSN Pools
    LSN Pool List
    .
    The LSN Pool List screen opens.
  54. Click the name of an LSN pool.
  55. Select an LSN pool from the list.
    The configuration screen for the pool opens.
  56. Click
    Create
    .
  57. In the
    Name
    field, type a unique name.
  58. In the Configuration area, for the
    Member List
    setting, type an address and a prefix length in the
    Address/Prefix Length
    field, and click
    Add
    .
    If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix
    10.10.10.0/24
    overlaps
    10.10.10.0/23
    .
  59. For the
    Member List
    setting, type an address and a prefix length in the
    Address/Prefix Length
    field, and click
    Add
    .
    If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix
    10.10.10.0/24
    overlaps
    10.10.10.0/23
    .
  60. From the
    Mode
    list, select an address translation mode.
  61. In the Configuration area, for the
    Persistence Mode
    setting, select
    Address
    .
  62. In the Configuration area, for the
    Persistence Mode
    setting, select
    Address
    or
    Address Port
    .
  63. For the
    Member List
    setting, in the
    Address/Prefix Length
    field, type an address and a prefix length and click
    Add
    .
    In a NAT64 implementation, an example of an IPv6 member address and prefix is
    203.0.113.0/24
    .
  64. For the
    Member List
    setting, in the
    Address/Prefix Length
    field, type an IPv4 address and a prefix length and click
    Add
    .
    In a NAT64 implementation, an example of an IPv4 member address and prefix is
    203.0.113.0/24
    .
  65. Click
    Finished
    .
  66. Select
    NAPT
    for the pool's translation
    Mode
    .
  67. Select
    NAPT
    or
    Deterministic
    for the pool's translation
    Mode
    .
    The NAPT mode provides standard address and port translation so multiple clients share the same external address. The deterministic mode provides address translation that does not require to log creation and deletion of every address mapping, while still allowing to determine internal client address from external address, port and destination address and port. Deterministic mode does not support
    DS-lite
    tunneling or
    NAT64
    .
  68. For the
    Mode
    setting, select
    Deterministic
    for the pool's translation.
    Note that deterministic mode does not support
    DS-lite
    tunneling or
    NAT64
    .
  69. For the
    Mode
    setting, select
    PBA
    for the pool's translation.
    Note that PBA mode for DS-lite is same as for NAT44, except that all clients behind the DS-Lite tunnel are managed as one subscriber. Port block limits are in accordance with each DS-lite tunnel.
  70. From
    Persistence Mode
    , select to persist on
    Address
    or
    Address Port
    .
    This is the address mode the CGNAT module uses to track and store connection data.
  71. In the
    Persistence Timeout
    field, type the number of seconds before persisted connections time out.
    Typically, you want to type a
    Persistence Timeout
    value greater than the
    Block Idle Timeout
    value, to minimize the number of zombie port blocks.
  72. For the
    Port Block Allocation
    setting, specify your preferred PBA configuration.
    1. In the
      Block Size
      field, type the number of ports designated for a block.
    2. In the
      Block Lifetime
      field, type the number of seconds before a port block times out.
      If you type a timeout other than
      0
      , you can also specify a
      Zombie Timeout
      . A
      Block Lifetime
      value that is less than the
      Persistence Timeout
      value minimizes the number of zombie port blocks. The default value of
      0
      specifies no lifetime limit and indefinite use of the port block.
    3. In the
      Block Idle Timeout
      field, enter the timeout (in seconds) for after the port block becomes idle.
      Typically, you want to use a
      Block Idle Timeout
      value less than the
      Persistence Timeout
      value, to minimize the number of zombie port blocks.
    4. In the
      Client Block Limit
      field, type the number of blocks that can be assigned to a single subscriber IP address.
    5. In the
      Zombie Timeout
      field, type the number of seconds before port block times out.
      A
      zombie port block
      is a timed out port block with one or more active connections. The default value of
      0
      specifies no timeout and an indefinite zombie state for the port block, as long as connections remain active. A value other than
      0
      specifies a timeout expiration, upon which existing connections are terminated, and the port block is released and returned to the pool.
  73. If you want to ensure that messages are routed within the internal network, select
    Enabled
    from the
    Hairpin Mode
    list.
    Hairpinning routes a message back to its origin endpoint for times when the origin and destination endpoint are within the same subnetwork.
  74. Check
    Route Advertisement
    to make the LSN pool addresses available for advertisement via dynamic routing protocols.
    This setting benefits from the advanced routing module (ARM).
  75. If you want this pool to accept inbound connections, select
    Explicit
    , or
    Automatic
    from the
    Inbound Connections
    list. To stop inbound connections, select
    Disabled
    .
  76. Select the
    ICMP Echo
    check box to enable responding icmp-echo requests for translation addresses.
  77. From the
    Log Publisher
    list, select the log publisher the BIG-IP system uses to send log messages to a specified destination.
    If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the
    logpublisher.atomic
    db variable to
    false
    .
  78. From the
    Log Publisher
    list, select the log publisher the BIG-IP system uses to send log messages to a specified destination.
    If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the
    logpublisher.atomic
    db key to
    false
    . If all the remote high-speed log (HSL) destinations are down (unavailable), setting the
    logpublisher.atomic
    db key to
    false
    will not work to allow the logs to be written to local-syslog. The
    logpublisher.atomic
    db key has no effect on local-syslog.
  79. In the Log Settings area, from the
    Log Publisher
    list, select the log publisher the BIG-IP system uses to send log messages to a specified destination.
    If you configure a log publisher, you must also configure a Logging Profile.
    If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the
    logpublisher.atomic
    db variable to
    false
    .
  80. From the
    Log Publisher
    list, select the log publisher that sends formatted log messages to the local Syslog database on the BIG-IP system.
  81. In the Settings area, for the
    Idle Timeout
    list, type a number to specify the number of seconds after a connection is eligible for deletion; when the connection has no traffic. The default value is 30 seconds.
  82. Set the
    Port Range Low
    to specify the low end of the range of port numbers available for use within translation IP addresses.
  83. Set the
    Port Range High
    to specify the high end of the range of port numbers available for use within translation IP addresses.
  84. Set the
    Client Connection Limit
    to specify the maximum number of simultaneous connections translated for a client or subscriber.
  85. From the
    Egress
    list, select
    Enabled on
    egress to allow source address translation on a specified set of interfaces.
  86. Use the
    Egress Interfaces
    setting to specify the set of interfaces allowed for source address translation that you enabled or disabled in the previous step.
  87. In the Configuration area, for the
    Member List
    setting, type an address and a prefix length in the
    Address/Prefix Length
    field, and click
    Add
    .
  88. For deterministic mode, the
    Backup Member List
    must have at least one member, so type an address in the
    Address/Prefix Length
    field and click
    Add
    .
  89. From the
    PCP Profile
    list, select a pre-created PCP profile.
    If you have not yet created a customized profile, you can use the default PCP profile
    pcp
    .
    The other two PCP-related settings become active.
  90. Type a self IP address or a DS-Lite tunnel where the virtual server's clients can send their PCP requests. You can use either field:
    • Use the
      PCP Server IP
      list to select one of the existing self IP addresses on the system, or
    • Use the
      PCP DS-LITE Tunnel Name - IPv6
      list to select an existing DS-Lite tunnel
    The virtual server's clients can send PCP requests to the self-IP address or through the DS-Lite tunnel you selected.
  91. On the Main tab, click
    Carrier Grade NAT
    Logging Profiles
    LSN
    .
    The LSN profile list screen opens.
  92. On the Main tab, click
    Carrier Grade NAT
    Logging Profiles
    LSN
    .
    The LSN logging profiles screen opens.
  93. Click
    Create
    .
    The New LSN Logging Profile screen opens.
  94. In the
    Name
    field, type a unique name for the logging profile.
  95. In the
    Name
    field, type a unique name for the TFTP profile.
  96. For the Log Settings area, select the
    Custom
    check box.
  97. For the Settings area, select the
    Custom
    check box.
  98. Configure the log settings, as necessary.
  99. Optional: From the
    Logging Profile
    list, select the logging profile the BIG-IP system uses to configure logging options for various LSN events.
  100. For the Log Settings area, select
    Enabled
    for the following settings, as necessary.
    Setting
    Description
    CSV Format
    Generates log entries in comma-separated-values (CSV) format.
    Start Outbound Session
    Generates event log entries at the start of a translation event for an LSN client.
    End Outbound Session
    Generates event log entries at the end of a translation event for an LSN client.
    Start Inbound Session
    Generates event log entries at the start of an incoming connection event for a translated endpoint.
    End Inbound Session
    Generates event log entries at the end of an incoming connection event for a translated endpoint.
    Quota Exceeded
    Generates event log entries when an LSN client exceeds allocated resources.
    Errors
    Generates event log entries when LSN translation errors occur.
    Subscriber ID
    Allows for subscriber ID logging.
  101. For the Log Settings area, select
    Enabled
    for the following settings, as necessary.
    Setting
    Description
    CSV Format
    Generates log entries in comma-separated-values (CSV) format.
    Start Outbound Session
    Generates event log entries at the start of a translation event for an LSN client.
    End Outbound Session
    Generates event log entries at the end of a translation event for an LSN client.
    Start Inbound Session
    Generates event log entries at the start of an incoming connection event for a translated endpoint.
    End Inbound Session
    Generates event log entries at the end of an incoming connection event for a translated endpoint.
    Quota Exceeded
    Generates event log entries when an LSN client exceeds allocated resources.
    Errors
    Generates event log entries when LSN translation errors occur.
    Subscriber ID
    Allows for subscriber ID logging.
    Enabling the
    CSV
    check box affects splunk logs because IP addresses are shown as
    ip,port,rtdom
    instead of
    ip%rtdom:port
    . Do not mix log types and only use standard syslog formats.
  102. On the Main tab, click
    Carrier Grade NAT
    Logging Profiles
    ALG
    .
    The ALG logging profiles screen opens.
  103. On the Main tab, click
    Local Traffic
    Profiles
    Other
    ALG Logging
    .
    The ALG Logging screen opens.
  104. Click
    Create
    .
    The New ALG Logging Profile screen opens.
  105. Click
    Create
    .
    The New TFTP Profile screen opens.
  106. On the Main tab, click
    Carrier Grade NAT
    ALG Profiles
    FTP
    .
    The FTP screen opens.
  107. On the Main tab, click
    Carrier Grade NAT
    ALG Profiles
    RTSP
    .
    The RTSP screen opens.
  108. Click the name of an FTP profile.
  109. Click the name of an SIP profile.
  110. Click the name of an RTSP profile.
  111. Click the name of an TFTP profile.
  112. Click the name of an IPsecALG profile.
  113. From the
    Logging Profile
    list, select the logging profile the BIG-IP system uses to configure logging options for various ALG events.
    If you configure a Logging Profile, you must also configure a Log Publisher.
  114. From the
    Logging Profile
    list, select the logging profile the BIG-IP system uses to configure logging options for various TFTP events.
    If you configure a Logging Profile, you must also configure a Log Publisher.
  115. For the Log Settings area, select
    Enabled
    for the following settings, as necessary.
    Setting
    Description
    CSV Format
    Generates log entries in comma-separated-values (csv) format.
    Start Control Channel
    Generates event log entries at the start of a control channel connection for an ALG client.
    End Control Channel
    Generates event log entries at the end of a control channel connection for an ALG client.
    Start Data Channel
    Generates event log entries at the start of a data channel connection for an ALG client.
    End Data Channel
    Generates event log entries at the end of a data channel connection for an ALG client.
    Inbound Transaction
    Generates event log entries of ALG messages triggered by an inbound connection to the BIG-IP system.
  116. For the Log Settings area, select
    Enabled
    for the following settings, as necessary.
    Setting
    Description
    CSV Format
    Generates log entries in comma-separated-values (csv) format.
    Start Control Channel
    Generates event log entries at the start of a control channel connection for an ALG client.
    End Control Channel
    Generates event log entries at the end of a control channel connection for an ALG client.
    Start Data Channel
    Generates event log entries at the start of a data channel connection for an ALG client.
    End Data Channel
    Generates event log entries at the end of a data channel connection for an ALG client.
    Inbound Transaction
    Generates event log entries of ALG messages triggered by an inbound connection to the BIG-IP system.
    Enabling the
    CSV
    check box affects splunk logs because IP addresses are shown as
    ip,port,rtdom
    instead of
    ip%rtdom:port
    . Do not mix log types and only use standard syslog formats.
  117. On the Main tab, click
    Carrier Grade NAT
    NAT Stats Profile
    .
  118. Click
    Create
    .
    The New Nat Stats Profile screen opens.
  119. In the Settings area, from the
    Stats Tracking Level
    list, retain the default,
    Disabled
    , or select a level of reporting.
    Setting
    Description
    High
    Includes the roll-up-level of a translation-address, the metric persistence-entries for a roll-up-level of an lsn-pool, and a
    fw-nat-source-translation-object
    .
    Medium
    Includes the metrics for active-subscribers, cumulative-subscribers, and peak-subscribers.
    Low
    Includes all other statistics.
  120. For the Address Utilization, Port Utilization, and Error Threshold areas, retain the default settings, or, as necessary, change to appropriate value(s).
  121. Click
    Finished
    to save the new NAT Stats Profile.