Manual Chapter :
Applying a NAT Policy to a System Context
Applies To:
Show VersionsBIG-IP AFM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Applying a NAT Policy to a System Context
About AFM NAT policy contexts
AFM NAT policies are applied to the global, route domain, or virtual server contexts; however, address and port translation takes place at the virtual server level. For example, a NAT
policy applied to the global context applies to every virtual server, and a
NAT policy applied to a route domain context applies only to virtual servers residing in
that route domain.
BIG-IP AFM applies context precedence in this order:
- Virtual Server
- Route Domain
- Global
When you specify a NAT policy on a virtual server, you can configure the virtual server to use
either the route domain policy, the device policy, or both. Orders of precedence still apply,
and the most specific NAT policy is applied.
The AFM NAT inline rule editor provides an alternative way to create and edit rules within a context. In order for you to use the inline rule editor, a context must have a NAT policy applied.
Apply a NAT policy to the global context
You can apply an AFM NAT policy to the global context, providing NAT translation for matched traffic on all virtual servers on the
device.
You can override the global context by assigning a
policy to a route domain, or virtual server contexts.
- On the Main tab, click.
- From theContextlist, selectGlobal.
- In the Policy list area, clickGlobal.The Firewall Options page opens.
- In the Firewall NAT area, from theNetwork Address Translationlist, select the NAT policy.
- ClickUpdate.
Apply a NAT policy to a route domain context
You can apply an AFM NAT policy to the route domain context, providing NAT translation for matched traffic on all virtual servers in that route domain.
This NAT policy will override the global context. You can override this context by assigning a
NAT policy to the virtual server context.
- On the Main tab, click.
- From theContextlist, selectRoute Domain.
- Next toRoute Domain, select the route domain ID number from the list.
- In the Policy list area, click theRoute DomainID number.The Route Domain Security page opens.
- From theNetwork Address Translationlist, select the NAT policy.
- ClickUpdate.
Apply a NAT policy to a virtual server context
You can apply an AFM NAT policy to a virtual server context, providing NAT translation for matched traffic on that specific virtual server.
This NAT policy will override the global context and route domain contexts.
- On the Main tab, click.
- From theContextlist, selectVirtual Server.
- Next toVirtual Server, select the name of the virtual server from the list.
- In the Policy list area, click the virtual server name.The Virtual Server Security page opens.
- From theNetwork Address Translationlist, select the NAT policy.
- ClickUpdate.
Use the AFM NAT inline editor
Before you can use the AFM NAT inline editor, the context to be modified must have an associated NAT policy.
You can use the AFM NAT inline editor to modify existing NAT rules, or to add new rules to a policy.
- On the Main tab, click.
- From theContextlist, select a context to edit.For route domain and virtual server contexts, a second setting opens, where you can select a specific route domain or virtual server.
- Click theNameof an existing rule to edit, or clickAdd Ruleto add a new NAT rule to the policy.
- Once the NAT rule options are configured, clickDone Editing.If you don't clearly understand any rule option function, refer to the section:Creating an AFM NAT Policy.
- ClickCommit Changes to Systemto apply the changes.