Applies To:
Show Versions
BIG-IP versions 1.x - 4.x
- 4.6.1, 4.6.0, 4.5 PTF-08, 4.5 PTF-07, 4.5 PTF-06, 4.5 PTF-05, 4.5 PTF-04, 4.5 PTF-03, 4.5 PTF-02, 4.5 PTF-01, 4.5.9, 4.5.0
10
Address Translation: SNATs, NATs, and IP Forwarding
Introducing address translation
The BIG-IP system uses address translation and forwarding in various ways to make nodes accessible that would otherwise be hidden on its internal VLAN.
- A virtual server translates the destination address of an inbound packet from its own address (the virtual server's) to the address of the node to which it load balances the packet. It then translates the origin address of the reply back to its own address so the originating host will not try to address the member node directly. This translation is basic to the way the virtual server works in most configurations and it is enabled by default.
- You can configure a SNAT (Secure Network Address Translation) or NAT (Network Address Translation) to give a node that is a member of a load balancing pool a routable address as an origin address for purposes of generating its own outbound traffic. A SNAT can be configured manually, or automatically using the SNAT auto-map feature.
- You can configure a forwarding virtual server to expose selected nodes to the external network.
- You can configure IP forwarding globally to expose all internal nodes to the external network
For more information on enabling address translation for virtual servers, see Chapter 6, Virtual Servers . The following sections describe how to configure SNATs, NATs, and IP forwarding.
SNATs
A secure network address translation (SNAT) provides a routable alias IP address that a node can use as its source IP address when making connections to clients on the external network. Unlike a network translation address (NAT), a SNAT does not accept inbound traffic, and this is where its security lies. When you define a SNAT, you can use it in any of the following ways:
- Assign a single SNAT address to a single node
- Assign a single SNAT address to multiple nodes
- Enable a SNAT for a VLAN
Note that a SNAT address does not necessarily have to be unique; for example, it can match the IP address of a virtual server.
The attributes you can configure for a SNAT are shown in Table 10.1 .
|
Attributes |
Description |
|---|---|
|
Global SNAT properties |
Before you configure a SNAT, you can configure global properties for all SNATs on the BIG-IP system. Configuring global properties for a SNAT is optional. |
|
Manual SNAT mapping |
You can define a specific translation address to be mapped to an individual host. |
|
SNAT automapping |
You can configure a BIG-IP system to automatically map a translation address. |
Setting SNAT global properties
The SNAT feature supports three global properties that apply to all SNAT addresses:
- Connection limits
The connection limit applies to each node that uses a SNAT. - TCP idle connection timeout
This timer defines the number of seconds that TCP connections initiated using a SNAT address are allowed to remain idle before being automatically disconnected. - UDP idle connection timeout
This timer defines the number of seconds that UDP connections initiated using a SNAT address are allowed to remain idle before being automatically disconnected. This value should not be set to 0.
To configure SNAT global properties using the Configuration utility
- In the navigation pane, click SNATs.
The SNATs screen opens. - In the Connection Limit box, type the maximum number of connections you want to allow for each node using a SNAT.
- To turn connection limits off, set the limit to 0.
- In the TCP Idle Timeout box, type the number of seconds that TCP connections initiated by a node using a SNAT are allowed to remain idle.
- In the UDP Idle Timeout box, type the number of seconds that UDP connections initiated by a node using a SNAT are allowed to remain idle. This value should not be set to 0.
- Click the Apply button.
To configure SNAT global properties from the command line
Configuring global properties for a SNAT requires that you enter three bigpipe commands. The following command sets the maximum number of connections you want to allow for each node using a SNAT.
b snat limit <value>
The following commands set the TCP and UDP idle connection timeouts:
b snat timeout tcp <seconds>
b snat timeout udp <seconds>
When adding a default SNAT for an active-active configuration, see Adding automapped SNATs for active-active configurations .
Configuring a SNAT manually
Once you have configured the SNAT global properties, you can manually configure SNAT address mappings. When you map a SNAT manually, you specify a particular translation IP address that you want the BIG-IP system to assign from any of the following:
- One or more specified node addresses
- One or more VLANs
- A combination of specified node addresses and VLANs
- All node addresses (known as a default SNAT)
Note that a SNAT address does not necessarily have to be unique; for example, it can match the IP address of a virtual server. A SNAT address cannot match an address already in use by a NAT or another SNAT address.
The following sections describe how to add a default SNAT and how to add a SNAT manually for individual node addresses, VLANs, or a combination of both.
Adding a default SNAT manually
If you do not want to configure a SNAT for each individual node, you can manually create a default SNAT. When you add a default SNAT, you are directing the BIG-IP system to map every node on the internal network to a default translation address.
The following procedures do not apply to active-active configurations. For information on how to add a default SNAT for an active-active configuration, see Adding automapped SNATs for active-active configurations .
To add a default SNAT manually using the Configuration utility
- In the navigation pane, click NATs.
The NATs screen displays. - Click the SNATs tab.
- Click the Add Default button.
The Add Default SNAT screen opens. - In the Translation Address field, select the IP button, and type the IP address that you want the BIG-IP system to assign as a translation address.
- Click Done.
To add a default SNAT manually from the command line
Use the following syntax to manually define the default SNAT. If you use the netmask parameter and it is different from the external interface default netmask, the command sets the netmask and derives the broadcast address.
b snat map default to <snat_ip> \
[vlan <vlan_name> disable|enable] \
[netmask <ip>]
Adding a SNAT for individual node addresses and VLANs
If you do not want to add a default SNAT, you can add a SNAT for any individual node address or VLAN. The following procedures describe how to manually add a SNAT.
To manually add a SNATusing the Configuration utility
The Configuration utility allows you to define one SNAT for one or more original IP addresses, where the original IP address can be either a specific node address or a VLAN name.
- In the navigation pane, click NATs.
The NATs screen displays. - Click the SNATs tab.
- Click the Add button.
The Add SNAT screen opens. - In the Translation Address field, select the IP button, and type the IP address that you want the BIG-IP system to assign as a translation address.
- Type each node's IP address into the Original Address: box and move the address to the Current List: box, using the right arrows (>>). Also, verify that the option choose appears in the VLAN box.
- If you want to map the translation address from a VLAN, select the VLAN name from the VLAN box and move the selection to the Current List: box, using the right arrows (>>).
- Click Done.
To add a manual SNAT from the command line
The bigpipe snat command defines one SNAT for one or more original IP addresses, where the original IP address can be either a specific node address or a VLAN name. To manually add a SNAT using the bigpipe snat command, use the following syntax.
b snat map <orig_ip>... to <snat_ip>
For example, to define a SNAT for two specific nodes:
b snat map 192.168.75.50 192.168.75.51 to 192.168.100.10
To define a SNAT for two internal VLANs:
b snat map internal1 internal2 to 192.168.102.11
To define a SNAT for both a node address and a VLAN:
b snat map 192.168.75.50 internal2 to 192.168.100.12
To create individual SNAT addresses
Use the following command-line command-line syntax to create a SNAT mapping:
b snat map <orig_ip> [...<orig_ip>] to \
<snat_ip> [vlan <vlan_name> disable | enable] [unit <unit ID>] [netmask <ip>]
If the netmask is different from the external interface default netmask, the command sets the netmask and derives the broadcast address.
Configuring SNAT automapping
The BIG-IP system includes a feature called SNAT automapping. When you map a SNAT automatically, rather than manually, you enable the BIG-IP system to choose the translation IP address. You also enable the BIG-IP system to map that translation address from any of the following:
- One or more specified node address
- One or more VLANs
- A combination of specific node addresses and VLANs
- All node addresses (known as a default SNAT)
SNAT automapping eliminates the need for you to specifically define an IP address as the translation address.
The SNAT automapping feature is useful in the following cases:
- Where there is a need to ensure that outbound traffic returning through ISPs or NAT-less firewalls returns through the same ISP or firewall.
- Where a traditional single SNAT address would quickly exhaust the number of ephemeral ports available. As long as there is more than one eligible self IP address, SNAT automapping can increase the number of simultaneous connections possible by using the same ephemeral port on multiple addresses.
- When the equivalent of a default SNAT, that is, a SNAT that continues to work in the event of a failure in one BIG-IP system, is required for BIG-IP units in active-active mode. (The conventional default SNAT does not work in active-active mode.)
Adding an automapped default SNAT
The BIG-IP system allows you to take advantage of the SNAT automapping feature when adding a default SNAT. When you add a default SNAT, you are enabling the BIG-IP system to map every node on the internal network to a default translation address. With the automapping feature, you do not need to define a specific translation address to which all nodes on the network will be mapped.
To add the automapped default SNAT using the Configuration utility
- In the navigation pane, click NATs.
The NATs screen displays. - Click the SNATs tab.
- Click the Add Default button.
The Add Default SNAT screen opens. - Click the Automap button.
- Click Done.
To add the automapped default SNAT from the command line
To add a default SNAT using the automapping feature, type the bigpipe snat command as follows:
b snat map default to auto
A default SNAT cannot be added for an active-active configuration. For more information, see Adding automapped SNATs for active-active configurations .
Adding automapped SNATs for standard (active-standby) configurations
When enabling SNAT automapping for VLANs, the BIG-IP system handles the SNATs in the following ways:
- If you create a SNAT on an internal VLAN, a SNAT is performed on any connection made from that VLAN.
- If you enable snat automap on a single self IP address, the translation address is that self IP address.
- If you enable snat automap on more than one self IP address, (implying more than one IP network), the following rules apply:
- If the connection is handled by a non-forwarding virtual server, the translation address is the self IP address that matches the IP network of the node selected by load balancing.
- If the connection is handled by a forwarding virtual server or no virtual server, the translation address is the self IP address that matches the IP network of the next hop to the destination.
- If there are no self addresses that match the IP network of the node or the next hop, any self IP address on the VLAN is eligible.
- Enable the snat automap attribute on any self IP addresses.
- Add the SNAT, specifying the Automap feature.
The following sections explain these procedures.
To enable the snat automap attribute on a self IP address from the command line
When you enable automapping to add a SNAT, the translation address that the BIG-IP system maps to an individual node or a VLAN is the self IP address. Thus, prior to enabling automapping for the node or VLAN, you must enable the snat automap attribute on the self IP address. This is done from the command line, using the following syntax:
b self <self IP address> snat automap enable
For example, if you have the two self IP addresses 192.168.217.14 and 192.168.217.15, the following commands enable the snat automap attribute on those self IP addresses:
b self 192.168.217.14 snat automap enable
b self 192.168.217.15 snat automap enable
Later, when you add a SNAT using automapping, the BIG-IP system maps either of those self IP addresses to the original node (or VLAN) that you specify.
As another example, the following command enables the snat automap attribute on the self IP address 10.0.0.1, for the VLAN named external:
b self 10.0.0.1 vlan external snat automap enable
For more information, see To add an automapped SNAT from the command line .
To add an automapped SNAT using the Configuration utility
The Configuration utility allows you to define one SNAT for one or more original IP addresses, where the original IP address can be either a specific node address or a VLAN name.
- In the navigation pane, click NATs.
The NATs screen displays. - Click the SNATs tab.
- Click the Add button.
The Add SNAT screen opens. - In the Translation Address area, click the Automap button.
- If you want to map the translation address from one or more specific nodes, enter each node's IP address into the Original Address: box and move the address to the Current List: box, using the right arrows (>>). Also, verify that the option choose appears in the VLAN box.
- If you want to map the translation address to a VLAN, select the VLAN name from the VLAN box and move the selection to the Current List: field, using the right arrows (>>).
- Click Done.
To add an automapped SNAT from the command line
The bigpipe snat command defines one SNAT for one or more original IP addresses, where the original IP address can be either a specific node address, or a VLAN name.
For example, to define an automapped SNAT for two individual node addresses:
b snat map 10.1.1.1 10.1.1.2 to auto
In the preceding example, the translation address to which the nodes 10.1.1.1 and 10.1.1.2 will be mapped is the self IP address, assuming that you enabled the snat automap attribute on that self IP address prior to using the bigipipe snat command. For more information, see To enable the snat automap attribute on a self IP address from the command line .
To define an automapped SNAT for a VLAN named internal:
b snat map internal to auto
To define an automapped SNAT for both a node address and a VLAN:
b snat map 192.168.75.50 internal2 to auto
When adding automapped SNATs, you must also enable the snat automap attribute on the self IP address that the BIG-IP system will use as the translation address. For more information, see To enable the snat automap attribute on a self IP address from the command line .
Adding automapped SNATs for active-active configurations
In the case where you want to add a default SNAT for an active-active configuration, you cannot create the standard default SNAT described earlier in this section. Instead, you must create the equivalent of a default SNAT.
To create the equivalent of a default SNAT, it is necessary to assign each unit its own floating self IP address on the external VLAN. This is done for the same reason that separate aliases are assigned to the internal network as part of routine active-active setup. Because you already have a floating self IP address for the external interface that is configured as belonging to unit one on unit one and unit two on unit two, use the following procedure to create two unit-specific IP aliases is as follows.
To create two unit-specific SNATs
- On unit one, ensure that two floating self IP addresses are configured for unit one. For example:
b self 11.11.11.3 vlan internal unit 1 floating enable
b self 172.16.16.3 vlan external unit 1 floating enable - Also on unit one, ensure that two floating self IP addresses are configured for unit two. For example:
b self 11.11.11.4 vlan internal unit 2 floating enable
b self 172.16.16.4 vlan external unit 2 floating enable - Ensure that unit two has all of these self IP addresses by using the config sync command to synchronize the changes to unit two:
b config sync all
- Set up SNAT automapping as you would for an active/standby system, but enable both external aliases:
b self 172.16.16.3 vlan external snat automap enable
b self 172.16.16.4 vlan external snat automap enable
b snat map internal to auto
ISPs and NAT-less firewalls
The BIG-IP system handles ISPs and NAT-less firewalls in the following manner:
- If multiple external interfaces are available, the inside addresses of the firewalls in the load balancing pool may each be connected to different interfaces and assigned to different VLANs.
- A SNAT is then enabled on each VLAN.
- A SNAT must also be enabled on the internal VLAN.
For example, if the internal VLAN is named internal and the external VLANs are named external1 and external2, you would type the following commands:
b snat internal to auto
b snat external1 to auto
b snat external2 to auto
- If multiple external interfaces are not available, the ISP routers or firewalls are assigned to different IP networks. This will already be the case for ISPs.
- For firewalls, the separate IP address ranges must be established on the inside and outside interfaces of each firewall. The separate networks are then assigned separate self addresses, for example, 10.0.0.1 and 11.0.0.1.
Thus, if the internal and external VLANs are named internal and external, you would type the following commands:
b self 10.0.0.1 vlan external snat automap enable
b self 11.0.0.1 vlan external snat automap enable
b snat internal to auto
Disabling SNATs for a pool
When configuring a pool, you can specifically disable SNAT or NAT translations on any connections that use that pool. By default, this setting is enabled.
Disabling ARP requests
By default, the BIG-IP system responds to ARP requests for the SNAT address and sends a gratuitous ARP request for router table update. If you want to disable the SNAT address for ARP requests, you must specify arp disable.
Configuring a cache server
To ensure that a cache server or remote origin server responds to the BIG-IP system rather than to the original cache server that generated the missed request, the BIG-IP system also translates the source of the missed request to the translated address and port of the associated SNAT connection.
In order to enable these scenarios, you must:
- Create a SNAT for each cache server
The SNAT translates the address of a packet from the cache server to the address you specify. For more information about SNATs, see SNATs . - Create a SNAT auto-mapping for bounceback
You must now configure a second SNAT mapping, in this case with the SNAT automap feature, so that when requests are directed to the origin server, the server will reply through the BIG-IP system and not directly to the client. (If the BIG-IP system replied directly to the client, the next request would then go directly to the origin server, removing the BIG-IP system from the loop.) For more information about SNAT automapping, see Configuring SNAT automapping .
Additional SNAT configuration options
The following procedures allow you to further configure SNATs.
To delete SNAT addresses
The following syntax deletes a specific SNAT:
b snat <snat_ip> | default delete
To show SNAT mappings
The following bigpipe command shows mappings:
b snat [<snat_ip> ...] show
b snat default show
The value of the <snat_ip> variable can be either the translated or the original IP address of the SNAT, or a SNAT-enabled VLAN name.
The following command shows the current SNAT connections:
b snat [<snat_ip> ...] dump [ verbose ]
b snat default dump [ verbose ]
The optional verbose keyword provides more detailed output.
The following command prints the global SNAT settings:
b snat globals show
To enable mirroring for redundant systems
The following example sets SNAT mirroring for all SNAT connections originating at 192.168.225.100:
b snat 192.168.225.100 mirror enable
To clear statistics
You can reset statistics by node address, SNAT address, or VLAN name. Use the following syntax to clear all statistics for one or more nodes:
b snat <node_ip> ... stats reset
Use the following syntax to clear all statistics for one or more SNAT addresses:
b snat <snat_ip> ... stats reset
Use the following command to reset the statistics to zero for the default:
b snat default stats reset
NATs
A network translation address (NAT) provides a routable alias IP address that a node can use as its source IP address when making or receiving connections to clients on the external network. (This distinguishes it from a SNAT, which can make outbound connections but refuses inbound connections.) You can configure a unique NAT for each node address included in a virtual server mapping.
Note that NATs do not support port translation, and are not appropriate for protocols that embed IP addresses in the packet, such as FTP, NT Domain or CORBA IIOP. You cannot define any NATs if you configure a default SNAT.
Table 10.2 shows the attributes you can configure for a NAT.
|
NAT Attributes |
Description |
|---|---|
|
Original address |
The original address is the node IP address of a host that you want to be able to connect to through the NAT. |
|
Translated address |
The translated address is an IP address that is routable on the external network of the BIG-IP system. This IP address is the NAT address. |
|
Disabled VLAN list |
VLANs to which the NAT is not to be mapped can be explicitly disabled, as when there is more than one internal VLAN. |
|
Unit ID |
You can specify a unit ID for a NAT if the BIG-IP system is configured to run in active-active mode. |
The IP addresses that identify nodes on the BIG-IP system internal network need not be routable on the external network. This protects nodes from illegal connection attempts, but it also prevents nodes (and other hosts on the internal network) from receiving direct administrative connections, or from initiating connections to clients, such as mail servers or databases, on the BIG-IP external interface.
Using network address translation resolves this problem. Network address translations (NATs) assign to a particular node a routable IP address that the node can use as its source IP address when connecting to servers on the BIG-IP external interface. You can use the NAT IP address to connect directly to the node through the BIG-IP system, rather than having the BIG-IP system send you to a random node according to the load balancing mode.
In addition to these options, you can set up forwarding virtual servers that allow you to selectively forward traffic to specific addresses. The BIG-IP system maintains statistics for forwarding virtual servers.
Defining a network address translation (NAT)
When you define standard network address translations (NATs), you need to create a separate NAT for each node that requires a NAT. You also need to use unique IP addresses for NAT addresses; a NAT IP address cannot match an IP address used by any virtual or physical servers in your network. You can configure a NAT with the Configuration utility or from the command line.
To configure a NAT using the Configuration utility
- In the navigation pane, click NATs.
The NATs screen opens. - Click the Add button.
The Add NAT screen opens. - In the Add NAT screen, fill in the fields to configure the NAT.
- Click Done.
To configure a NAT from the command line
A NAT definition maps the IP address of a node <orig_addr> to a routable address on the external interface <trans_addr>. Use the following syntax to define a NAT:
b nat <orig_addr> to <trans_addr> [vlans <vlan_list> disable | enable] [unit <unit ID>]
The vlans <vlan_list> parameter is used to disable the specified VLANs for translation. By default, all VLANs are enabled.
Use the unit <unit ID> parameter to specify the BIG-IP system to which this NAT applies in an active-active redundant system.
The following example shows a NAT definition:
b nat 10.10.10.10 to 10.12.10.10
To delete NATs
Use the following syntax to delete one or more NATs from the system:
b nat <orig_addr> [...<orig_addr>] delete
To display status of NATs
Use the following command to display the status of all NATs included in the configuration:
b nat show
Use the following syntax to display the status of one or more selected NATs (see Figure 10.1 ).
b nat <orig_addr> [...<orig_addr>] show
NAT { 10.10.10.3 to 9.9.9.9 } (pckts,bits) in = (0, 0), out = (0, 0) NAT { 10.10.10.4 to 12.12.12.12 netmask 255.255.255.0 broadcast 12.12.12.255 } (pckts,bits) in = (0, 0), out = (0, 0) |
To reset statistics for a NAT
Use the following command to reset the statistics for an individual NAT:
b nat [<orig_addr>] stats reset
Use the following command to reset the statistics for all NATs:
b nat stats reset
Disabling NATs for a pool
When configuring a pool, you can specifically disable any SNAT or NAT connections that use that pool. By default, this setting is enabled.
Disabling ARP requests
By default, the BIG-IP system responds to ARP requests for the NAT address and sends a gratuitous ARP request for router table update. If you want to disable the NAT address for ARP requests, you must specify arp disable.
Additional restrictions
The nat command has the following additional restrictions:
- The IP address defined in the <orig_addr> parameter must be routable to a specific server behind the BIG-IP system.
- You must delete a NAT before you can redefine it.
- The interface for a NAT can only be configured when the NAT is first defined.
IP forwarding
IP forwarding is an alternate way of allowing nodes to initiate or receive direct connections from the BIG-IP external network. IP forwarding directly exposes all of the node IP addresses to the external network, making them routable on that network. If your network uses the NT Domain or CORBA IIOP protocols, IP forwarding is an option for direct access to nodes.
Use of SNATs and NATs, as well as forwarding pools and forwarding virtual servers, is preferable to global IP forwarding. For more information on forwarding pools and forwarding virtual servers, see Chapter 4, Pools and Chapter 6, Virtual Servers .
IP forwarding is a global setting that exposes the IP address of all internal nodes to the BIG-IP external network, and clients can use it as a standard routable address. When you enable IP forwarding, the BIG-IP system acts as a router when it receives connection requests for node addresses. You can use the IP filter feature to implement a layer of security that can help protect your nodes.
Table 10.3 shows options associated with IP forwarding.
|
Option |
Description |
|---|---|
|
Enable IP forwarding globally |
You can enable IP forwarding globally for the BIG-IP system, either with the Configuration utility or by turning on the sysctl variable net.inet.ip.forwarding. To protect your nodes with this feature, we recommend that you use IP filters, which add a layer of security. |
|
Address routing issues |
If you enable IP forwarding, you need to route packets to the node addresses through the BIG-IP system. |
|
Configure the forwarding attribute for a pool |
Instead of enabling IP forwarding globally or creating a forwarding virtual server, you can create a pool with no members that forwards traffic instead of load balancing it. For more information, see Chapter 4, Pools . |
|
Enable IP forwarding for a virtual server |
Instead of enabling IP forwarding globally, you can create a special virtual server with IP forwarding enabled. For information on creating a forwarding virtual server, see Chapter 6, Virtual Servers . |
The following sections describe the procedures for configuring these options.
Enabling IP forwarding globally
IP forwarding is a global property of the BIG-IP system. To set up IP forwarding globally, you need to complete two tasks:
- Turn IP forwarding on
The BIG-IP system uses a system control variable to control IP forwarding, and its default setting is off. - Verify the routing configuration
You probably have to change the routing table for the router on the BIG-IP external network. The router needs to direct packets for nodes to the BIG-IP system, which in turn directs the packets to the nodes themselves.
To set global IP forwarding using the Configuration utility
- In the navigation pane, click System.
The Network Map screen opens. - Click the Advanced Properties tab.
The Advanced Properties screen opens. - Check the Allow IP Forwarding box.
- Click Apply.
To set global IP forwarding from the command line
Use the bigpipe global ip_forwarding command to set the variable. The default setting for the variable is disabled. You should change the setting to enabled:
b global ip_forwarding enabled
Addressing routing issues for IP forwarding
Once you turn on IP forwarding, you probably need to change the routing table on the default router. Packets for the node addresses need to be routed through the BIG-IP system. For details about changing the routing table, refer to your router's documentation.
Configuring the forwarding attribute for a pool
You can configure IP forwarding so that it is done by a pool, rather than globally by the BIG-IP system or by an individual virtual server. For more information, see Chapter 4, Pools .
Enabling IP forwarding for a virtual server
You can configure IP forwarding so that it is done by a virtual server, rather than globally by the BIG-IP system or by a specific pool. For more information, see Chapter 6, Virtual Servers .
