Manual Chapter : Managing NAT Policies and Translations

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0
Manual Chapter

Managing NAT Policies and Translations

About NAT policies and translations

You can use network translation address (NAT) policies to translate network addresses. These NAT policies contain rules that contain NAT source translations and NAT destination translations.
You associate a NAT policy with a firewall context by adding it to the NAT Policy property of the firewall context.
You can discover a NAT policy on a BIG-IP device version 12.1 or later, or create one on a BIG-IQ Centralized Management system, and then deploy it to a BIG-IP device version 12.1 or later.
When you view differences that include NAT policy changes to the global context, those changes appear under the global-device-context object rather than the global object.

Create a NAT policy

You create a NAT policy to contain rules that contain NAT source translations and NAT destination translations.
  1. Go to the NAT Policies screen: Click
    Configuration
    SECURITY
    Network Security
    Network Address Translation
    NAT Policies
    .
  2. Click
    Create
    .
    The New NAT Policy screen opens with the Properties displayed.
  3. Type a name for the NAT policy in the
    Name
    field.
  4. Type an optional description for the NAT policy in the
    Description
    field.
  5. If needed, change the default
    Common
    partition in the
    Partition
    field.
  6. On the left, click
    Rules
    and then click
    Create Rule
    .
    A new row appears in the table of rules. The row contains a rule template, including defaults, for the new rule.
  7. Click the edit icon to the left of the rule name to edit the default rule properties.
  8. Complete the rule fields as appropriate.
    You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing one of the options available.
  9. Save your changes.
The NAT policy is now defined and can be assigned to a firewall context.

NAT rule properties

This table lists and describes the properties required when configuring NAT policy rules. These rules are similar to rules used in firewall policies, but have a different set of properties.
Property
Description
Name
Unique, user-provided name for the rule, and optionally a description.
Address (Source)
or
Address (Destination)
Source or destination address or addresses. Select the type of address from the list:
  • Address
    . Type a single address in the
    Address
    field and then click
    Add
    to the right of the address field to add it.
  • Address List
    . In the
    Address
    field, select the address list. Alternatively, in the Shared Objects area at the bottom, you can select
    Address Lists
    to list those available, and then drag it to the
    Address
    column.
  • Address Range
    . Type the beginning address in the first
    Address Range
    field, and the ending address in the second
    Address Range
    field, and then click
    Add
    .
Port (Source)
or
Port (Destination)
Source or destination port or ports. Select the type of port from the list:
  • Port
    . Type the port in the
    Port
    field, and then click
    Add
  • Port List
    . Select the name of the port list Alternatively, in the Shared Objects area at the bottom, you can select
    Port Lists
    to list those available and then drag it to the
    Port
    column.
  • Port Range
    . Type the beginning port in the first
    Port
    field and the ending port in the second
    Port
    field, and then click
    Add
    .
Proxy ARP (Destination)
Select
enabled
to accept proxy ARP requests for destination translation addresses. Select
disabled
to not accept proxy ARP requests for destination translation addresses.
Route Advertisement (Destination)
Select
enabled
to enable advertising traffic to dynamic routing protocols configured in the route domain. Select
disabled
to disable route advertisement.
Protocol
IP protocol to compare against the packet. Select the appropriate protocol from the list. Select
Other
to specify an unlisted protocol.
NAT Source Translation
Type the name of a NAT Source Translation. Alternatively, in the Shared Objects area at the bottom, you can select
NAT Source Translations
to list those available, and then drag it to the NAT Source Translation column.
NAT Destination Translation
Type the name of a NAT Destination Translations in the field. Alternatively, in the Shared Objects area at the bottom, you can select
NAT Destination Translations
to list those available and then drag and drop it into the NAT Destination Translation column.
Log Profile
Enter the name of a logging profile in the field. This logging profile must already be defined using Logging Profiles in Shared Security and should be pinned to the BIG-IP device using the Shared Security pinning policy.
State
Specify whether the rule is enabled or disabled. The field is updated.

Create NAT source translations

You create NAT source translations to use within a network address translation policy rule.
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Address Translation
    NAT Source Translations
    .
  2. Click
    Create
    .
    The New NAT Source Translations screen opens.
  3. Type a name for the NAT source translations in the
    Name
    field.
  4. In the
    Description
    field, type an optional description for the NAT source translations.
  5. If needed, change the default
    Common
    in the
    Partition
    field.
  6. From the
    Type
    list, specify the type of address translation to use.
    The type of address translation you select determines what additional properties are available.
    • Select
      Static NAT
      for static network address translation.
    • Select
      Static PAT
      for static network port and address translation.
    • Select
      Dynamic PAT
      for dynamic network port and address translation.
  7. If you selected
    Static NAT
    for the
    Type
    , supply values for the following settings.
    Property
    Description
    Addresses
    Add one or more addresses or address ranges by typing them and then clicking the
    +
    button. Remove them by clicking the
    X
    next to the address or address range.
    ICMP Echo
    Select
    enabled
    to make ICMP echoes available. Select
    disabled
    to make ICMP echoes unavailable.
    Proxy ARP
    Select
    enabled
    to accept proxy ARP requests for source translation addresses. Select
    disabled
    to not accept proxy ARP requests for source translation addresses.
    Route Advertisement
    Select
    enabled
    to enable route advertisement. Select
    disabled
    to disable route advertisement.
    Egress Interfaces area
    Specify whether the source address is translated for egressing network traffic, and on what interfaces, such as the
    /Common/http-tunnel
    interface.
    • Select
      Disabled on
      to disable source address translation for the specified interfaces, and then select the check box for the interfaces to be disabled.
    • Select
      Enabled on
      to enable source address translation for the specified interfaces and then select the check box for the interfaces to be enabled.
  8. If you selected
    Static PAT
    for the
    Type
    , fill in the following settings.
    Property
    Description
    Addresses
    Add one or more addresses or address ranges by typing them and then clicking the
    +
    button. Remove them by clicking the
    X
    button next to the address or address range.
    Ports
    Add one or more ports or port ranges by typing them and then clicking the
    +
    button. Remove them by clicking the
    X
    button next to the port or port range.
    ICMP Echo
    Select
    enabled
    to make ICMP echoes available. Select
    disabled
    to make ICMP echoes unavailable.
    Proxy ARP
    Select
    enabled
    to accept proxy ARP requests for source translation addresses. Select
    disabled
    to not accept proxy ARP requests for source translation addresses.
    Route Advertisement
    Select
    enabled
    to enable route advertisement. Select
    disabled
    to disable route advertisement.
    Egress Interfaces area
    Specify whether egress interfaces are available.
    • Select
      Disabled on
      to disable egress filtering interfaces.
    • Select
      Enabled on
      to disable egress filtering interfaces.
  9. If you selected
    Dynamic PAT
    for the
    Type
    , supply values for the following settings.
    Property
    Description
    Addresses
    Add one or more addresses or address ranges by typing them and then clicking the
    +
    button. Remove them by clicking the
    X
    button next to the address or address range.
    Ports
    Add one or more ports or port ranges by typing them and then clicking the
    +
    button. Remove them by clicking the
    X
    button next to the port or port range.
    ICMP Echo
    Select
    enabled
    to make ICMP echoes available. Select
    disabled
    to make ICMP echoes unavailable.
    Proxy ARP
    Select
    enabled
    to accept proxy ARP requests for source translation addresses. Select
    disabled
    to not accept proxy ARP requests for source translation addresses.
    Route Advertisement
    Select
    enabled
    to enable route advertisement. Select
    disabled
    to disable route advertisement.
    PAT Mode
    Specify the port address translation mode. The mode you select determines what additional properties are available.
    • Select
      NAPT
      (default)
    • Select
      Deterministic
    • Select
      Port Block Allocation
    Inbound Mode
    Specify the inbound mode.
    • Select
      None
      to disable inbound mode.
    • Select
      Endpoint Independent Filtering
      to use endpoint independent filtering.
    Mapping
    Specify the mapping to use. For all mappings, the default timeout value is 300 seconds, and can be modified. The range is 0 to 31536000 seconds.
    • Select
      None
      to disable inbound mode.
    • Select
      Endpoint Independent Mapping
      to use endpoint independent filtering.
    • Select
      Address Pooling Paired
      to use paired address pooling.
    Client Connection Limit
    Enter a number as the maximum number of client connections allowed. The default is 0, which indicates no connection limit.
    Port Block Allocation
    Specify numeric values for one or more of the following fields; the default is to not have a value set:
    • Block Idle Timeout
      . The range is 30 31536000 seconds.
    • Block Life Time
      . The range is 0 to 31536000 seconds.
    • Block Size
      . Must be 1 or greater, and less than or equal to the number of ports in the port range.
    • Client Block Limit
      . Must be 1 or greater.
    • Zombie Timeout
      . Must be 0 to 31536000 seconds.
    This property is available when the port block allocation PAT mode is set.
    Hairpin mode
    Enables or disables hairpinning for incoming connections to active translation end-points (address/port combinations). Specify the hairpin mode.
    • Select
      enabled
      to enable hairpin mode.
    • Select
      disabled
      to not enable hairpin mode.
    This property is available for all PAT modes.
    Backup Addresses
    Add one or more backup IP addresses by typing them and then clicking the
    +
    button. Remove them by clicking the
    X
    button next to the address This property is available when the deterministic PAT mode is set.
    Egress Interfaces area
    Specify whether egress interfaces are available.
    • Select
      Disabled on
      to disable egress filtering interfaces.
    • Select
      Enabled on
      to disable egress filtering interfaces.
    PCP
    Specify the PCP profile to use.
    • In the
      Profile
      setting, select the PCP profile to use.
    • Specify either a self IP or a DS-Lite tunnel where PCP requests can be sent.
      • Select
        Self IP
        , and then select a self IP address.
      • Select
        DSlite
        , and then select a DS-Lite tunnel.
    DS-Lite tunnels cannot be created by BIG-IQ® Centralized Management. You must create them on the BIG-IP® device and then import them to BIG-IQ Centralized Management.
  10. Save your work.
The NAT source translations are now defined, and you can assign them to a rule used by a NAT policy.

Creating NAT destination translations

You create NAT destination translations to use within a NAT policy rule.
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Address Translation
    NAT Destination Translations
    .
  2. Click
    Create
    .
    The NAT Destination Translations - New Item screen opens.
  3. Type a name for the NAT destination translations in the
    Name
    field.
  4. In the
    Description
    field, type an optional description for the NAT destination translations.
  5. If needed, in the
    Partition
    field change the default
    Common
    partition.
  6. From the
    Type
    list, select the type of address translation to use. The type of address translation you select determines what additional properties are available.
    • Select
      Static NAT
      for static network address translation.
    • Select
      Static PAT
      for static network port and address translation.
  7. If you selected
    Static NAT
    or
    Static PAT
    for the
    Type
    setting, supply values for the
    Addresses
    setting.
    • Add one or more addresses or address ranges by typing them in, and then clicking the
      +
      button.
    • Remove the address or address range by clicking the
      X
      button next to it.
  8. If you selected
    Static PAT
    from the
    Type
    list, supply values for the
    Ports
    setting.
    • Add one or more ports or port ranges by typing them in and then clicking the
      +
      button.
    • Remove the port or port range by clicking the
      X
      button next to it.
  9. Click
    Save
    to save the NAT destination translations, or click
    Save & Close
    to save the NAT destination translations and return to the NAT Destination Translations screen.
The NAT destination translations are now defined and can be assigned to a rule used by a NAT policy.