Manual Chapter :
Common elements for CGNAT and LSN tasks
Applies To:
Show VersionsBIG-IP APM
- 17.1.1, 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP Analytics
- 17.1.1, 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP Link Controller
- 17.1.1, 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP LTM
- 17.1.1, 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP PEM
- 17.1.1, 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP AFM
- 17.1.1, 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP DNS
- 17.1.1, 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP ASM
- 17.1.1, 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Common elements for CGNAT and LSN tasks
- On the Main tab, click.The Virtual Servers list screen opens.
- ClickVirtual Servers
- On the Main tab, clickThe Virtual Address List screen opens.
- On the Main tab, clickThe Carrier Grade NAT screen opens.
- Select theCustomcheck box.
- ClickCreate.
- ClickDelete.
- ClickFinished.
- In the Settings area, select theAllow FTPScheck box.
- On the Main tab, click.The FTP screen opens and displays a list of available FTP ALG profiles.
- On the Main tab, click.The SIP screen opens and displays a list of available SIP ALG profiles.
- On the Main tab, click.The RTSP screen opens and displays a list of available RTSP ALG profiles.
- On the Main tab, click.The PPTP screen opens and displays a list of available PPTP ALG profiles.
- On the Main tab, click.The IPsecALG screen opens and displays a list of available IPsecALG profiles.
- On the Main tab, click.The TFTP screen opens and displays a list of available TFTP ALG profiles.
- On the Main tab, click.The TFTP screen opens and displays a list of available TFTP ALG profiles.
- Type a name for the profile.
- In theDescriptionfield, type a description.
- From theParent Profilelist, select a parent profile.
- From thePublisher Namelist, select a log publisher for high-speed logging of messages.IfNoneis selected, the BIG-IP system uses the default syslog.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb variable tofalse.
- From theInclude Destination IPlist, select whether to include the PPTP server's IP address in log messages.EnabledIncludes the PPTP server's IP address in log messages for call establishment or call disconnect.DisabledDefault. Includes0.0.0.0as the PPTP server's IP address in log messages for call establishment or call disconnect.
- Select theTranslate Extendedcheck box to ensure compatibility between IPv4 and IPv6 clients and servers when using the FTP protocol.The default is selected.
- Select theInherit Parent Profilecheck box to enable the FTP data channel to inherit the TCP profile used by the control channel. The check box is clear by default.If this setting is disabled, the data channel uses FastL4 (BigProto) only.
- In theData Portfield, type a number for an alternate port.The default value for the FTP data port is20.
- In theMaximum Size (Bytes)field, type a number to specify the maximum size, in bytes, for a SIP message.The default is65535bytes.
- Select theTerminate on BYEcheck box to close a User Datagram Protocol (UDP) connection when a BYE transaction finishes.The default is selected.
- Clear theTerminate on BYEcheck box.You must clear theTerminate on BYEcheck box for a TCP or UDP connection when the BIG-IP system functions as a SIP proxy, configuring the inbound SNAT and consolidating multiple calls into one server-side connection. You should select theTerminate on BYEcheck box to improve performance only for a UDP connection if each client call comes from a unique IP address and no inbound SNATs are configured.
- Select theDialog Awarecheck box to gather SIP dialog information, and automatically forward SIP messages belonging to the known SIP dialog.The default is cleared.
- Select theSecuritycheck box to enable the use of enhanced HSL security checking.The default is cleared.
- With theDialog Awarecheck box selected, in theCommunityfield, type a string to indicate whether the SIP virtual server-profile pair belongs to the same SIP proxy functional group.
- Configure theInsert Via Headersettings.
- From theInsert Via Headerlist, selectEnabledto insert a Via header in the forwarded SIP request. The default isDisabled.
- With theInsert Via Headersetting enabled, in theUser Viafield type a value that the system inserts as the top Via header in a SIPREQUESTmessage.
- Select theSecure Via Headercheck box to insert a secure Via header in the forwarded SIP request.The default is cleared.
- Select theInsert Record-Route Headercheck box to insert a Record-Route SIP header, which indicates the next hop for the following SIP request messages.The default is cleared.
- Configure theApplication Level Gatewaysettings.
- From theApplication Level Gatewaylist, selectEnabledto provide options for defining ALG settings. The default isDisabled.
- From theRTP Proxy Stylelist, select one of the following settings.RTP Proxy StyleDescriptionSymmetricSends and receives media on the same port.Restricted by IP addressSends and receives media from specific IP addresses.Any LocationSends and receives media from any location.
- In theDialog Establishment Timeoutfield, type an interval, in seconds, during which the system attempts to establish a peer-to-peer SIP relationship between two user agents, which facilitates sequencing of messages and proper routing of requests between two user agents. The default is10.
- In theRegistration Timeoutfield, type a time, in seconds, that elapses before the SIP registration process expires. The default is3600.
- In theSIP Session Timeoutfield, type an idle time, in seconds, after which the SIP session times out. The default is300.
- In theMaximum Media Sessionsfield, type a maximum number of allowable sessions. The default is6.
- In theMaximum Sessions Per Registrationfield, type a maximum number of allowable sessions per registration. The default is50.
- In theMaximum Registrationsfield, type a maximum number of allowable registrations. The default is100.
- Select theSIP Firewallcheck box to indicate that SIP firewall capability is enabled.The default is cleared.
- In theIdle Timeoutfield, type the number of seconds that an RTP connection is idle before the connection is eligible for deletion.The default is300seconds.
- In theMaximum Header Sizefield, type the maximum size of an RTSP request or response header, in bytes, that the system allows before closing the connection.The default is4096bytes.
- In theMaximum Queued Datafield, type the maximum amount of data, in bytes, that the BIG-IP system buffers, before determining that the connection is unusable, and subsequently closing the connection.The default value is32768bytes.
- Select theUnicast Redirectcheck box to specify that the client can select the destination port for the streamed data. The destination address for the data is the source of the request.The default is cleared.
- Select theMulticast Redirectcheck box to specify, for multicast streams, that the client has permission to supply a different destination IP address for the streamed data.The default is cleared.
- Select theSession Reconnectcheck box to specify that the system persists a resumed control connection to the correct server. Typical clients do not support this behavior.The default is cleared.
- Select theReal HTTP Persistencecheck box to specify that the system automatically persists Real Networks-tunneled RTSP data over HTTP, which is over the RTSP port.
- Select theCheck Sourcecheck box to specify that the system examines the origin of the message to determine whether the message came from the client or the server. .The default is selected.
- From theProxylist, select an RTSP proxy configuration to associate with the RTSP profile..The default isNone
- In theProxy Headerfield, type the value of a header that the system inserts into aSETUPrequest. The value of this header is typically information about the client IP address and is read by another RTSP profile. The default is blank.The system removes this header from the request prior to sending the request to the server for processing.
- In theRTP Portfield, type the port number that a Microsoft Media Services server uses. The default is0.You can specify Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) port numbers in the RTSP profile, which only apply when a client connects to a Windows Media server. If you configure RTP and RTCP port numbers, both values must be nonzero.
- In theRTCP Portfield, type the port number that a Microsoft Media Services server uses. The default is0.You can specify Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) port numbers in the RTSP profile, which only apply when a client connects to a Windows Media server. If you configure RTP and RTCP port numbers, both values must be nonzero.
- On the Main tab, click.The New PCP Profile screen opens.
- In theIdle Timeoutfield, type number of seconds that a connection is idle before the connection is eligible for deletion.
- In thePending IKE Connection Limitfield, type the maximum number of unacknowledged IKE connections that a client can send, before being denied further requests.
- In theInitial Connection Timeoutfield, type the maximum number of seconds to wait for a response from the server for the IKE or IPsec request.
- On the Main tab, click.The LSN Pool List screen opens.
- On the Main tab, click.The LSN Pool List screen opens.
- Click the name of an LSN pool.
- Select an LSN pool from the list.The configuration screen for the pool opens.
- ClickCreate.
- In theNamefield, type a unique name.
- In the Configuration area, for theMember Listsetting, type an address and a prefix length in theAddress/Prefix Lengthfield, and clickAdd.If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix10.10.10.0/24overlaps10.10.10.0/23.
- For theMember Listsetting, type an address and a prefix length in theAddress/Prefix Lengthfield, and clickAdd.If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix10.10.10.0/24overlaps10.10.10.0/23.
- From theModelist, select an address translation mode.
- In the Configuration area, for thePersistence Modesetting, selectAddress.
- In the Configuration area, for thePersistence Modesetting, selectAddressorAddress Port.
- For theMember Listsetting, in theAddress/Prefix Lengthfield, type an address and a prefix length and clickAdd.In a NAT64 implementation, an example of an IPv6 member address and prefix is203.0.113.0/24.
- For theMember Listsetting, in theAddress/Prefix Lengthfield, type an IPv4 address and a prefix length and clickAdd.In a NAT64 implementation, an example of an IPv4 member address and prefix is203.0.113.0/24.
- ClickFinished.
- SelectNAPTfor the pool's translationMode.
- SelectNAPTorDeterministicfor the pool's translationMode.The NAPT mode provides standard address and port translation so multiple clients share the same external address. The deterministic mode provides address translation that does not require to log creation and deletion of every address mapping, while still allowing to determine internal client address from external address, port and destination address and port. Deterministic mode does not supportDS-litetunneling orNAT64.
- For theModesetting, selectDeterministicfor the pool's translation.Note that deterministic mode does not supportDS-litetunneling orNAT64.
- For theModesetting, selectPBAfor the pool's translation.Note that PBA mode for DS-lite is same as for NAT44, except that all clients behind the DS-Lite tunnel are managed as one subscriber. Port block limits are in accordance with each DS-lite tunnel.
- FromPersistence Mode, select to persist onAddressorAddress Port.This is the address mode the CGNAT module uses to track and store connection data.
- In thePersistence Timeoutfield, type the number of seconds before persisted connections time out.Typically, you want to type aPersistence Timeoutvalue greater than theBlock Idle Timeoutvalue, to minimize the number of zombie port blocks.
- For thePort Block Allocationsetting, specify your preferred PBA configuration.
- In theBlock Sizefield, type the number of ports designated for a block.
- In theBlock Lifetimefield, type the number of seconds before a port block times out.If you type a timeout other than0, you can also specify aZombie Timeout. ABlock Lifetimevalue that is less than thePersistence Timeoutvalue minimizes the number of zombie port blocks. The default value of0specifies no lifetime limit and indefinite use of the port block.
- In theBlock Idle Timeoutfield, enter the timeout (in seconds) for after the port block becomes idle.Typically, you want to use aBlock Idle Timeoutvalue less than thePersistence Timeoutvalue, to minimize the number of zombie port blocks.
- In theClient Block Limitfield, type the number of blocks that can be assigned to a single subscriber IP address.
- In theZombie Timeoutfield, type the number of seconds before port block times out.Azombie port blockis a timed out port block with one or more active connections. The default value of0specifies no timeout and an indefinite zombie state for the port block, as long as connections remain active. A value other than0specifies a timeout expiration, upon which existing connections are terminated, and the port block is released and returned to the pool.
- If you want to ensure that messages are routed within the internal network, selectEnabledfrom theHairpin Modelist.Hairpinning routes a message back to its origin endpoint for times when the origin and destination endpoint are within the same subnetwork.
- CheckRoute Advertisementto make the LSN pool addresses available for advertisement via dynamic routing protocols.This setting benefits from the advanced routing module (ARM).
- If you want this pool to accept inbound connections, selectExplicit, orAutomaticfrom theInbound Connectionslist. To stop inbound connections, selectDisabled.
- Select theICMP Echocheck box to enable responding icmp-echo requests for translation addresses.
- From theLog Publisherlist, select the log publisher the BIG-IP system uses to send log messages to a specified destination.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb variable tofalse.
- From theLog Publisherlist, select the log publisher the BIG-IP system uses to send log messages to a specified destination.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb key tofalse. If all the remote high-speed log (HSL) destinations are down (unavailable), setting thelogpublisher.atomicdb key tofalsewill not work to allow the logs to be written to local-syslog. Thelogpublisher.atomicdb key has no effect on local-syslog.
- In the Log Settings area, from theLog Publisherlist, select the log publisher the BIG-IP system uses to send log messages to a specified destination.If you configure a log publisher, you must also configure a Logging Profile.If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set thelogpublisher.atomicdb variable tofalse.
- From theLog Publisherlist, select the log publisher that sends formatted log messages to the local Syslog database on the BIG-IP system.
- In the Settings area, for theIdle Timeoutlist, type a number to specify the number of seconds after a connection is eligible for deletion; when the connection has no traffic. The default value is 30 seconds.
- Set thePort Range Lowto specify the low end of the range of port numbers available for use within translation IP addresses.
- Set thePort Range Highto specify the high end of the range of port numbers available for use within translation IP addresses.
- Set theClient Connection Limitto specify the maximum number of simultaneous connections translated for a client or subscriber.
- From theEgresslist, selectEnabled onegress to allow source address translation on a specified set of interfaces.
- Use theEgress Interfacessetting to specify the set of interfaces allowed for source address translation that you enabled or disabled in the previous step.
- In the Configuration area, for theMember Listsetting, type an address and a prefix length in theAddress/Prefix Lengthfield, and clickAdd.
- For deterministic mode, theBackup Member Listmust have at least one member, so type an address in theAddress/Prefix Lengthfield and clickAdd.
- From thePCP Profilelist, select a pre-created PCP profile.If you have not yet created a customized profile, you can use the default PCP profilepcp.The other two PCP-related settings become active.
- Type a self IP address or a DS-Lite tunnel where the virtual server's clients can send their PCP requests. You can use either field:
- Use thePCP Server IPlist to select one of the existing self IP addresses on the system, or
- Use thePCP DS-LITE Tunnel Name - IPv6list to select an existing DS-Lite tunnel
The virtual server's clients can send PCP requests to the self-IP address or through the DS-Lite tunnel you selected. - On the Main tab, click.The LSN profile list screen opens.
- On the Main tab, click.The LSN logging profiles screen opens.
- ClickCreate.The New LSN Logging Profile screen opens.
- In theNamefield, type a unique name for the logging profile.
- In theNamefield, type a unique name for the TFTP profile.
- For the Log Settings area, select theCustomcheck box.
- For the Settings area, select theCustomcheck box.
- Configure the log settings, as necessary.
- Optional: From theLogging Profilelist, select the logging profile the BIG-IP system uses to configure logging options for various LSN events.
- For the Log Settings area, selectEnabledfor the following settings, as necessary.SettingDescriptionCSV FormatGenerates log entries in comma-separated-values (CSV) format.Start Outbound SessionGenerates event log entries at the start of a translation event for an LSN client.End Outbound SessionGenerates event log entries at the end of a translation event for an LSN client.Start Inbound SessionGenerates event log entries at the start of an incoming connection event for a translated endpoint.End Inbound SessionGenerates event log entries at the end of an incoming connection event for a translated endpoint.Quota ExceededGenerates event log entries when an LSN client exceeds allocated resources.ErrorsGenerates event log entries when LSN translation errors occur.Subscriber IDAllows for subscriber ID logging.
- For the Log Settings area, selectEnabledfor the following settings, as necessary.SettingDescriptionCSV FormatGenerates log entries in comma-separated-values (CSV) format.Start Outbound SessionGenerates event log entries at the start of a translation event for an LSN client.End Outbound SessionGenerates event log entries at the end of a translation event for an LSN client.Start Inbound SessionGenerates event log entries at the start of an incoming connection event for a translated endpoint.End Inbound SessionGenerates event log entries at the end of an incoming connection event for a translated endpoint.Quota ExceededGenerates event log entries when an LSN client exceeds allocated resources.ErrorsGenerates event log entries when LSN translation errors occur.Subscriber IDAllows for subscriber ID logging.Enabling theCSVcheck box affects splunk logs because IP addresses are shown asip,port,rtdominstead ofip%rtdom:port. Do not mix log types and only use standard syslog formats.
- On the Main tab, click.The ALG logging profiles screen opens.
- On the Main tab, click.The ALG Logging screen opens.
- ClickCreate.The New ALG Logging Profile screen opens.
- ClickCreate.The New TFTP Profile screen opens.
- On the Main tab, click.The FTP screen opens.
- On the Main tab, click.The RTSP screen opens.
- Click the name of an FTP profile.
- Click the name of an SIP profile.
- Click the name of an RTSP profile.
- Click the name of an TFTP profile.
- Click the name of an IPsecALG profile.
- From theLogging Profilelist, select the logging profile the BIG-IP system uses to configure logging options for various ALG events.If you configure a Logging Profile, you must also configure a Log Publisher.
- From theLogging Profilelist, select the logging profile the BIG-IP system uses to configure logging options for various TFTP events.If you configure a Logging Profile, you must also configure a Log Publisher.
- For the Log Settings area, selectEnabledfor the following settings, as necessary.SettingDescriptionCSV FormatGenerates log entries in comma-separated-values (csv) format.Start Control ChannelGenerates event log entries at the start of a control channel connection for an ALG client.End Control ChannelGenerates event log entries at the end of a control channel connection for an ALG client.Start Data ChannelGenerates event log entries at the start of a data channel connection for an ALG client.End Data ChannelGenerates event log entries at the end of a data channel connection for an ALG client.Inbound TransactionGenerates event log entries of ALG messages triggered by an inbound connection to the BIG-IP system.
- For the Log Settings area, selectEnabledfor the following settings, as necessary.SettingDescriptionCSV FormatGenerates log entries in comma-separated-values (csv) format.Start Control ChannelGenerates event log entries at the start of a control channel connection for an ALG client.End Control ChannelGenerates event log entries at the end of a control channel connection for an ALG client.Start Data ChannelGenerates event log entries at the start of a data channel connection for an ALG client.End Data ChannelGenerates event log entries at the end of a data channel connection for an ALG client.Inbound TransactionGenerates event log entries of ALG messages triggered by an inbound connection to the BIG-IP system.Enabling theCSVcheck box affects splunk logs because IP addresses are shown asip,port,rtdominstead ofip%rtdom:port. Do not mix log types and only use standard syslog formats.
- On the Main tab, click.
- ClickCreate.The New Nat Stats Profile screen opens.
- In the Settings area, from theStats Tracking Levellist, retain the default,Disabled, or select a level of reporting.SettingDescriptionHighIncludes the roll-up-level of a translation-address, the metric persistence-entries for a roll-up-level of an lsn-pool, and afw-nat-source-translation-object.MediumIncludes the metrics for active-subscribers, cumulative-subscribers, and peak-subscribers.LowIncludes all other statistics.
- For the Address Utilization, Port Utilization, and Error Threshold areas, retain the default settings, or, as necessary, change to appropriate value(s).
- ClickFinishedto save the new NAT Stats Profile.