Manual Chapter : Deploying a Carrier Grade NAT

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1
Manual Chapter

Deploying a Carrier Grade NAT

Overview: The carrier-grade NAT (CGNAT) module

The carrier-grade network address translation (CGNAT) module on the BIG-IP system supports large groups of translation addresses using large-scale NAT (LSN) pools and grouping of address-translation-related options in an ALG profile, which can be assigned to multiple virtual servers. It also has the ability to match virtual servers based on client address to destination addresses and ports. Other characteristics of the CGNAT module are listed here.
CGNAT is NAT only. If you want deploy DNS services, you need a BIG-IP DNS license.

Translation address persistence

The CGNAT module can assign the same external (translation) address to all connections originated by the same internal client. For example, providing endpoint-independent address mapping.

Automatic external inbound connection handling

CGNAT can accept inbound external connections to active translation address/port combinations to facilitate endpoint-independent filtering as described in section 5 of
RFC 4787
. This is also known as a full-cone NAT.

More efficient logging

CGNAT supports log messages that map external addresses and ports back to internal clients for both troubleshooting and compliance with law enforcement/legal constraints.

Network address and port translation

Network address and port translation (NAPT) mode provides standard address and port translation allowing multiple clients in a private network to access remote networks using the single IP address assigned to their router.

Deterministic assignment of translation addresses

Deterministic mode is an option used to assign translation address, and is port-based on the client address/port and destination address/port. It uses reversible mapping to reduce logging, while maintaining the ability for translated IP address to be discovered for troubleshooting and compliance with regulations. Deterministic mode also provides an option to configure backup-members.

Port block allocation of translation addresses

Port block allocation (PBA) mode is an option that reduces logging, by logging only the allocation and release of a block of ports. When a subscriber sends a translation request, the BIG-IP system services the request from a block of ports that is assigned to a single IP address, and only logs the allocation and release of that block of ports. The BIG-IP system applies subsequent requests from the service provider to that block of ports until all ports are used.

Licensing

Designed for service providers, the CGNAT module is offered as a stand-alone license or as an add-on license for Local Traffic Manager (LTM) and Policy Enforcement Manager (PEM).

Task summary

About ALG Profiles

Application Layer Gateway (ALG) profiles provide the CGNAT with protocol and service functionality that modifies the necessary application protocol header and payload, thus allowing these protocols to seamlessly traverse the NAT. FTP, RTSP, SIP, and PPTP profiles that are supported with ALG profiles, and added to the CGNAT configuration as needed.
An FTP, RTSP, or SIP profile can use an Automap, NAPT, DNAT, or PBA address translation mode when providing necessary logging.

About CGNAT translation address persistence and inbound connections

The BIG-IP system enables you to manage RFC-defined behavior for translation address persistence and inbound connections.

Translation Address Persistence

When you configure an LSN pool, the CGNAT Persistence Mode setting assigns translation endpoints in accordance with the selected configuration mode: NAPT, Deterministic NAT (DNAT), or Port Block Allocation (PBA). It is important to note that this CGNAT translation address persistence is different from the persistence used in the BIG-IP Local Traffic Manager (LTM) load balancing.
CGNAT translation address persistence
uses a selected translation address, or endpoint, across multiple connections from the same subscriber address, or endpoint.
The BIG-IP system provides three Persistence Mode settings (
None
,
Address
, and
Address Port
) for each configuration mode.
Persistence Mode
Description
None
Translation addresses are not preserved for the subscriber. Each outbound connection might receive a different translation address. This setting provides the lowest overhead and highest performance.
Address
CGNAT preserves the translation address for the subscriber. When a connection is established, CGNAT determines if this subscriber already has a translation address. If the subscriber already has a translation address, then CGNAT uses the translation address stored in the persistence record, and locates a port for that connection. If no port is available, then CGNAT selects a different address. This setting provides greater overhead on each connection and less performance.
DNAT reserves both addresses and ports for a subscriber; however, persistence might still be of value when a subscriber's deterministic mappings span two translation addresses. In this instance, persistence prefers the same address each time.
Address Port
CGNAT preserves the translation address and port of the subscriber's connection, so that the endpoint can be reused on subsequent connections. This setting provides Endpoint Independent Mapping (EIM) behavior. Additionally, like the
Address
setting for
Persistence Mode
, this setting provides greater overhead on each connection and less performance.

Inbound Connections

The Inbound Connections setting determines whether the Large Scale NAT (LSN) allows connections to be established inbound to the LSN subscriber or client. This setting provides greater overhead, including a lookup on inbound entries for each connection to prevent endpoint overloading, and a reduction in the use of the translation space.
When you disable inbound connections, the BIG-IP system provides greater efficiency in address space utilization by allowing endpoint overloading, where two different subscribers can use the same translation address and port, as long as each subscriber connects to a different host.
When you enable inbound connections, the BIG-IP system restricts the use of a translation address and port to a single subscriber, and ensures that only one subscriber address and port uses a translation endpoint.
Because DNAT reserves addresses and ports for a subscriber, no endpoint overloading between subscribers occurs, but a single subscriber's traffic can leverage overloading. Inbound connections restrict this behavior. For DNAT, increased restriction from inbound connections might occur when fewer ports per subscriber are available. With inbound connections enabled, the ratio of subscriber ports to translation endpoints for a subscriber is 1:1.

About IPv6 prefixes

IPv6 128-bit addresses include a network prefix in the leftmost fields, and subnet in the remaining fields. For example, an IPv6 address of
2001:0db8:0000:0000:0000:0000:0000:0000
with a 32-bit prefix equates to a network of
2001:0db8
, written as
2001:db8::/32
. A network written as
2001:db8::/32
omits leading zeros in four-digit groups, uses
::
to indicate collapsed zero groups, and uses
/32
to indicate the 32-bit prefix.

About IPv4 prefixes

IPv4 32-bit addresses include a network prefix in the leftmost fields, and a host identifier in the remaining fields. For example, an address of
192.168.1.0/24
includes the prefix of the IPv4 network starting at the given address, having 24 bits allocated for the network prefix, and the remaining 8 bits reserved for host addressing.

Creating an LSN pool

The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
  1. On the Main tab, click
    Carrier Grade NAT
    LSN Pools
    .
    The LSN Pool List screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name.
  4. In the Configuration area, for the
    Persistence Mode
    setting, select
    Address
    or
    Address Port
    .
  5. For the
    Member List
    setting, type an address and a prefix length in the
    Address/Prefix Length
    field, and click
    Add
    .
    If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix
    10.10.10.0/24
    overlaps
    10.10.10.0/23
    .
  6. Click
    Finished
    .

Configuring an ALG profile

An ALG profile provides the CGNAT module with protocol and service information to make specified packet modifications to the IP and TCP/UDP headers, as well as the payload during translation.
Edit only copies of the included ALG profiles to avoid unwanted propagation of settings to other profiles that use the included profiles as parents.
  1. On the Main tab, click
    Carrier Grade NAT
    ALG Profiles
    .
  2. In the ALG Profiles menu, click an ALG profile.
  3. Click
    Create
    .
    The New Profile screen opens.
  4. Type a name for the new profile.
  5. From the
    Parent Profile
    list, ensure that the correct parent profile is selected as the new profile.
  6. Select the
    Custom
    check box on the right.
  7. Configure the profile settings.
  8. Click
    Finished
    to save the new ALG profile.
You now have an ALG profile for use by CGNAT.

Configuring a CGNAT iRule

You create iRules to automate traffic forwarding for XML content-based routing. When a match occurs, an iRule event is triggered, and the iRule directs the individual request to an LSN pool, a node, or virtual server.
  1. On the Main tab, click
    Carrier Grade NAT
    iRules
    .
    The iRule List screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a 1 to 31 character name, such as
    cgn_https_redirect_iRule
    .
  4. In the
    Definition
    field, type the syntax for the iRule using Tool Command Language (Tcl) syntax.
    For complete and detailed information about iRules syntax, see the F5 Networks DevCentral web site (
    http://devcentral.f5.com
    ).
  5. Click
    Finished
    .
You now have an iRule to use with a CGNAT virtual server.

Creating a virtual server for an LSN pool

Virtual servers are matched based on source (client) addresses. Define a virtual server that references the CGNAT profile and the LSN pool.
  1. On the Main tab, click
    Carrier Grade NAT
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. From the
    Type
    list, select
    Performance (Layer 4)
    .
  5. For a network, in the
    Destination Address/Mask
    field, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    0.0.0.0/0
    , and an IPv6 address/prefix is
    ::/0
    .
  6. In the
    Service Port
    field, type
    *
    or select
    * All Ports
    from the list.
  7. From the
    VLAN and Tunnel Traffic
    list, select
    Enabled on
    . Then, for the
    VLANs and Tunnels
    setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the
    Available
    list to the
    Selected
    list.
  8. For the
    LSN Pool
    setting, select the pool that this server will draw on for translation addresses.
  9. In the Resources area of the screen, for the
    iRules
    setting, select the name of the iRule that you want to assign and using the Move button, move the name from the
    Available
    list to the
    Enabled
    list.
  10. Click
    Finished
    .
The custom CGNAT virtual server now appears in the CGNAT Virtual Servers list.

Creating a CGNAT tunnel

Many translations use tunneling to move TCP/UDP traffic where the payload is other IP traffic. You can create and configure a tunnel for use with an LSN pool.
  1. On the Main tab, click
    Carrier Grade NAT
    Tunnels
    .
    The Tunnels screen opens.
  2. Click
    Create
    .
    The New Tunnel screen opens.
  3. In the
    Name
    field, type a unique name for the tunnel.
  4. In the
    Local Address
    field, type the IP address of the BIG-IP system.
  5. From the
    Remote Address
    list, retain the default selection,
    Any
    .
    This entry means that you do not have to specify the IP address of the remote end of the tunnel, which allows multiple devices to use the same tunnel.
  6. Click
    Finished
    .
Your CGNAT tunnel is ready to use as an egress interface in an LSN Pool.

Configuring a NAT Stats profile

You can configure a NAT Stats profile to provide statistics to help with troubleshooting, proactive monitoring, and future planning.
  1. On the Main tab, click
    Carrier Grade NAT
    NAT Stats Profile
    .
  2. Click
    Create
    .
    The New Nat Stats Profile screen opens.
  3. In the
    Name
    field, type a unique name.
  4. From the
    Parent Profile
    list, select a parent profile.
  5. In the
    Description
    field, type a description.
  6. In the Settings area, from the
    Stats Tracking Level
    list, retain the default,
    Disabled
    , or select a level of reporting.
    Setting
    Description
    High
    Includes the roll-up-level of a translation-address, the metric persistence-entries for a roll-up-level of an lsn-pool, and a
    fw-nat-source-translation-object
    .
    Medium
    Includes the metrics for active-subscribers, cumulative-subscribers, and peak-subscribers.
    Low
    Includes all other statistics.
  7. Click
    Finished
    to save the new NAT Stats Profile.