Manual Chapter : About BIG-IP AFM NAT

Applies To:

Show Versions Show Versions


  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter


AFM NAT features

BIG-IP Advanced Firewall Manager (AFM) supports industry standard Network Address Translation (NAT) and Port Address Translation (PAT) functionality. AFM NAT provides a variety of static and dynamic NAT and PAT modes to help you translate and map IPv4 and IPv6 addresses between networks.
The terms translation and mapping may at times be used interchangeably or together. Specifically,
refers to modifying the source or destination IP address or service port of network packets, as they cross network boundaries.
refers to the recording or tracking of a successful translation. For example, without a translation mapping, AFM NAT will not know to which private address a public facing packet should be sent.
AFM NAT also provides a variety of additional features to help you control and monitor NAT mapping events.

Translation Address Persistence

Translation Address Persistence provides endpoint-independent address mapping, assigning the same external translation IP addresses to all connections originated by the same internal clients.

Proxy ARP and ICMP Echo requests

These requests respond to Proxy ARP requests or ICMP Echo requests for translated source IP addresses.

Route advertisements

Destination IP addresses configured in NAT Policy can be passed to the BIG-IP system's advanced routing module, and advertised to peer routers through dynamic routing protocols such as OSPF and BGP.

Deterministic mode

Deterministic mode uses reversible mapping to reduce the amount of log messages, while still maintaining the ability to discover translated IP address to assist with troubleshooting and compliance. Deterministic mode also provides an option to configure backup addresses.

Port block allocation

Port block allocation (PBA) mode reduces the amount of logging by creating log entries only when a subscriber first establishes a network connection. PBA mode assigns subscribers a single IP address and block of ports, and releases the block when no more connections are using it.

Event Logs viewer

AFM NAT can store NAT mapping events in the local MySQL database. Using the Configuration Utility, you can perform advanced searches based on NAT mapping time, IP addresses, and service ports.

Efficient logging

AFM NAT supports log messages that map external addresses and ports back to internal clients for both troubleshooting, and compliance with law enforcement and legal constraints.M

About AFM, LTM, and CGNAT

The BIG-IP system can have up to three licensed NAT modules: AFM NAT, LTM NAT/SNAT, and CGNAT (Carrier Grade NAT). It is important to understand how these modules interact before you configure AFM NAT policies.
  • You can use AFM NAT on a system with LTM NAT/SNAT and CGNAT (Carrier-Grade NAT).
  • You can use AFM NAT policies with CGNAT policies when they are applied on the same virtual server.
  • You cannot apply AFM NAT policies to virtual servers when LTM SNAT pools or a CGNAT LSN-pools are applied to the virtual server. This extends to all contexts. For example, if a virtual server has an LTM SNAT pool or CGNAT LSN-pool applied at the route domain context, an AFM NAT policy cannot be applied to the virtual server context.

About AFM NAT policies and rules

AFM NAT policies are ordered lists of NAT rules that you apply to the global, route domain, or virtual server contexts. AFM NAT rules link packet matching criteria such as network protocol, IP address, and service port, to a NAT mapping type, such as Static-PAT. The NAT feature table provides a brief overview of these features.
NAT feature
Ordered lists of NAT rules that you apply to a BIG-IP system context.
Link packet matching criteria, such as source IP address, to a NAT mapping type, such as Static-PAT.
Translation objects
Specify the NAT mapping types, IP addresses and service ports used when translating packets traversing network boundaries.
Mapping types
The available NAT mapping types:
  • Static-NAT - Static 1:1 IP address mapping between the source and destination. Service ports are not translated.
  • Static-PAT - Static 1:1 IP address and service port mapping.
  • Dynamic-PAT - Dynamic IP address mapping using pools of IP addresses and service ports.

NAT policy and rule guidelines

It is important to understand these guidelines prior to implementing AFM NAT policies and rules.
NAT policies
AFM NAT policies are applied after AFM Network Firewall policies.
NAT rules
  • Overlapping IP addresses cannot be configured in a NAT rule. However, you can configure overlapping addresses between two dynamic PAT items when PAT mode is set to NAPT or PBA mode.
  • You can use only IPv6 or IPv4 address types in a single NAT rule (not a combination of both).

AFM NAT policy workflow

Creating a new NAT policy involves these steps:
  1. Creating the address and port lists used for packet matching.
  2. Creating the translation objects used for IP address and port mappings.
  3. Creating the logging profile to log mapping events.
  4. Creating the AFM NAT policy.
  5. Applying the NAT policy to a BIG-IP system context.