Manual Chapter :
Using NAT44 to Translate IPv4 Addresses
Applies To:
Show Versions
BIG-IP LTM
- 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1
Using NAT44 to Translate IPv4 Addresses
Overview: NAT44
For the BIG-IP system CGNAT module, NAT44 is the NAT type that maps IPv4
subscriber private addresses to IPv4 Internet public addresses. Translation addresses and ports
are set in LSN pools. The CGNAT module performs NAT44 translations for all IP traffic.
Diagram of a NAT44 network
About CGNAT hairpinning
An optional feature on the BIG-IP system,
hairpinning
routes
traffic from one subscriber's client to an external address of another subscriber's server, where
both client and server are located in the same subnet. To each subscriber, it appears that the
other subscriber's address is on an external host and on a different subnet. The BIG-IP system
can recognize this situation and send, or hairpin, the message back to the origin subnet so that
the message can reach its destination.In order for hairpinning to function properly, the subscriber VLAN must be
configured as an egress interface on the LSN pool. If the subscriber VLAN is not configured as an
egress interface on the LSN pool, hairpinning fails.
At present hairpinning works with
all BIG-IP CGNAT scenarios except NAT64.
Creating an LSN pool
The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
- On the Main tab, click .The LSN Pool List screen opens.
- ClickCreate.
- In theNamefield, type a unique name.
- In the Configuration area, for thePersistence Modesetting, selectAddressorAddress Port.
- For theMember Listsetting, type an address and a prefix length in theAddress/Prefix Lengthfield, and clickAdd.If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix10.10.10.0/24overlaps10.10.10.0/23.
- ClickFinished.
Creating a virtual server for an LSN pool
Virtual servers are matched based on source (client) addresses. Define a virtual
server that references the CGNAT profile and the LSN pool.
- On the Main tab, click .The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- From theTypelist, selectPerformance (Layer 4).
- For a network, in theDestination Address/Maskfield, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is0.0.0.0/0, and an IPv6 address/prefix is::/0.
- In theService Portfield, type*or select* All Portsfrom the list.
- From theVLAN and Tunnel Trafficlist, selectEnabled on. Then, for theVLANs and Tunnelssetting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from theAvailablelist to theSelectedlist.
- For theLSN Poolsetting, select the pool that this server will draw on for translation addresses.
- In the Resources area of the screen, for theiRulessetting, select the name of the iRule that you want to assign and using the Move button, move the name from theAvailablelist to theEnabledlist.
- ClickFinished.
The custom CGNAT virtual server now appears in the CGNAT Virtual Servers
list.
Configuring an ALG
profile
An ALG profile provides the CGNAT module with
protocol and service information to make specified packet modifications to the IP and
TCP/UDP headers, as well as the payload during translation.
Edit only
copies of the included ALG profiles to avoid unwanted propagation of settings to
other profiles that use the included profiles as parents.
- On the Main tab, click .
- In the ALG Profiles menu, click an ALG profile.
- ClickCreate.The New Profile screen opens.
- Type a name for the new profile.
- From theParent Profilelist, ensure that the correct parent profile is selected as the new profile.
- Select theCustomcheck box on the right.
- Configure the profile settings.
- ClickFinishedto save the new ALG profile.
You now have an ALG profile for use by CGNAT.
Configuring a CGNAT
iRule
You create iRules to automate traffic forwarding
for XML content-based routing. When a match occurs, an iRule event is triggered, and the
iRule directs the individual request to an LSN pool, a node, or virtual
server.
- On the Main tab, click .The iRule List screen opens.
- ClickCreate.
- In theNamefield, type a 1 to 31 character name, such ascgn_https_redirect_iRule.
- In theDefinitionfield, type the syntax for the iRule using Tool Command Language (Tcl) syntax.For complete and detailed information about iRules syntax, see the F5 Networks DevCentral web site (http://devcentral.f5.com).
- ClickFinished.
You now have an iRule to use with a CGNAT virtual server.
