Manual Chapter : Creating an AFM NAT Policy

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Creating an AFM NAT Policy

Create the NAT address list

You can create an address list containing single IP addresses, a range of IP addresses, or IP address subnets. The address list is used later when modifying or creating a NAT rule.
  1. On the Main tab, click
    Shared Objects
    Address Lists
    .
  2. Click
    Create
    .
    A properties area opens on the right.
  3. Type a
    Name
    and
    Description
    .
  4. In
    Addresses
    , type an IPv4 or IPv6 IP address, range of IP addresses, or IP subnet.
    For example,
    ssh_admin_access
    , for administrative SSH access.
  5. Click
    Add
    .
  6. Repeat steps 4 and 5 to continue adding addresses to the address list.
  7. Click
    Save
    .
The new address list appears in the Address Lists area.
Next, you can create a port list to translate specific service ports.

Create the NAT port list

You can create a port list that contains one or more service ports. You can reference the new port list later when modifying or creating a NAT rule.
  1. On the Main tab, click
    Shared Objects
    Port Lists
    .
  2. Click
    Create
    .
    A properties area opens on the right.
  3. Type a
    Name
    and optional
    Description
    .
  4. In the
    Ports
    field, type the service port number.
    For example,
    22
    for the SSH service.
  5. Click
    Add
    .
  6. Repeat steps 4 and 5 to continue adding ports to the port list.
  7. Click
    Save
    .
The new port list appears in Port Lists area.
Next, you can create a source or destination translation object .

Create the NAT source translation object

You can create a NAT source translation object to specify source IP address and port translations. Reference the source translation object when modifying or creating a new NAT Policy.
  1. On the Main tab, click
    Security
    Network Address Translation
    Source Translation
    .
  2. Click
    Create
    .
    The Source Translation properties area opens on the right.
  3. Type a
    Name
    and optional
    Description
    .
  4. From the
    Type
    list, select a translation type, or mode.
  5. In the
    Addresses
    field, type an IP address, IP address range, or IP address subnet to be used for source IP translation.
  6. Click
    Add
    after each IP address entry.
  7. If you selected a PAT option, in the
    Ports
    field, type a service port, or range of service ports to be used for source service port translation.
    This option is not available when Static-NAT is the selected translation mode.
  8. From
    ICMP Echo
    , select whether to enable or disable responses to ICMP Echo requests for translated source IP addresses.
  9. From the
    Proxy ARP
    list, select whether to enable or disable responding to ARP requests for translated source IP addresses.
  10. From the
    Route Advertisement
    list, select whether to enable or disable advertising routes for translated source IP addresses using the BIG-IP system's advanced routing modules.
  11. From the
    Egress Interfaces
    list, select whether source IP address translation is allowed on a specific VLAN or tunnel:
    Enabled on
    - Source address translation is allowed on the selected interface or tunnel.
    Disabled on
    - Source address translation is not allowed on the selected interface or tunnel.
    • Enabled on - Source address translation is allowed on the selected interface or tunnel.
    • Disabled on - Source address translation is prohibited on the selected interface or tunnel.
  12. Click
    Save
    .
The new source translation object appears in the Source Translation Object list.

Create the NAT destination translation object

You can create a NAT destination translation object to specify destination IP address and service port translations. Reference the Destination Translation object when modifying or creating a new NAT Policy.
  1. On the Main tab, click
    Security
    Network Address Translation
    Destination Translation
    .
  2. Click
    Create
    .
    The destination translation Properties area opens on the right.
  3. Type a
    Name
    and optional
    Description
    .
  4. From the
    Type
    list, select a translation type, or mode.
  5. In the
    Addresses
    field, type an IP address, IP address range, or IP address subnet to be used for destination IP translation.
  6. Click
    Add
    after each IP address entry.
  7. If you selected the
    Static-PAT
    option, in the
    Ports
    field, type a service port, or range of service ports to be used for destination service port translation.
  8. Click
    Save
    .
The new destination translation object appears in the destination translation object list.

Create the NAT policy

Create a NAT policy that includes one or more NAT rules to provide translation for source and destination IP address and service ports.
  1. On the Main tab, click
    Security
    Network Address Translation
    Policies
    .
    The Policies screen opens.
  2. Click
    Create
    to create a new policy.
  3. Type a
    Name
    and optional
    Description
    .
  4. Click
    Add Rule
    to add a new NAT rule to the policy.
  5. For the new rule name, type a
    Name
    and an optional
    Description
    .
  6. From the
    State
    list, select
    Enabled
    or
    Disabled
    .
  7. From the
    Protocol
    list, select a protocols.
    To view the most popular protocols such as TCP or ICMP, scroll to the top of the list.
  8. In the
    Source
    field, specify the matching IP address and service port criteria for source fields in the packet, and click
    Add
    .
    While you can type an IP address, range of IP addresses, IP subnet, port, or range of ports, F5 recommends associating address lists and port lists to simplify administration.
    You cannot specify a mix of IPv6 and IPv4 address types in a single NAT rule.
  9. In the
    Destination
    field, specify the matching IP address and service port criteria for destination fields in the packet, and click
    Add
    .
    While you can type an IP address, range of IP addresses, IP subnet, port, or range of ports, F5 recommends associating address lists and port lists to simplify administration.
    You cannot specify a mix of IPv6 and IPv4 address types in a single NAT rule.
  10. From the
    Translated Source
    list, select the appropriate source translation object.
  11. From the
    Translated Destination
    list, select the appropriate destination translation object.
  12. From the
    Log Profile
    list, select a logging profile to apply to the NAT rule.
  13. Click
    Done Editing
    .
  14. To add another rule, repeat steps 4 through 13.
  15. At the top of the page, click
    Commit Changes to System
    .
    The page displays the new NAT policy.
You have created a NAT policy that contains one or more NAT rules.
You can now apply the NAT policy to one of the BIG-IP system contexts or access points.