Manual Chapter : Using Firewall NAT for IP and Port Translation

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.2, 14.1.0
Manual Chapter

Using Firewall NAT for IP and Port Translation

About using Firewall NAT to translate addresses and ports

Firewall NAT on the BIG-IP® Advanced Firewall Manager™ system supports advanced NAT functionality on the AFM™ system.

NAT matching policies

NAT policies present a configurable collection of NAT matching rules and NAT translation objects, for inbound and outbound connections. The system matches flows and applies NAT rules, after the matching for firewall rules occurs. Firewall NAT allows you to configure a rule to match traffic, to which NAT source and destination translation rules are applied. Source and destination translation items are configured individually, and can be applied to multiple rules and contexts. Generally, overlapping addresses cannot be configured in NAT source or destination rules. However, you can configure overlapping addresses between two Dynamic PAT items that have the PAT mode set to NAPT or Port Block Allocation mode.

Firewall NAT can be used on a system with F5® BIG-IP CGNAT (Carrier-Grade NAT). Firewall NAT policies operate with CGNAT policies when applied on the same virtual server.

NAT contexts and precedence

You can configure a firewall NAT policy at the global, virtual server, or route domain context. NAT address and port assignment takes place only at the virtual server level, so a Firewall NAT policy configured at the global context applies on each individual virtual server, and a firewall NAT policy configured at the route domain context applies to all virtual servers on that route domain.

Similarly, NAT policies apply precedence in most-specific to least-specific order. A firewall NAT policy configured on a virtual server takes precedence over a policy configured on the route domain context, or at the global context.

Translation address persistence

The firewall NAT feature module can assign the same external (translation) address to all connections originated by the same internal client, providing endpoint-independent address mapping.

Efficient logging

Firewall NAT supports log messages that map external addresses and ports back to internal clients for both troubleshooting and compliance with law enforcement/legal constraints.

Network address and port translation

Network address and port translation (NAPT) mode provides standard address and port translation allowing multiple clients in a private network to access remote networks using the single IP address assigned to their router.

Proxy ARP

Currently when using AFM NAT to map a range of client source addresses to a range in the same subnet as the IP address of the egress interface, the BIG-IP system does not proxy ARP for the translated source addresses.

Deterministic assignment of translation addresses

Deterministic mode is an option used to assign translation address, and is port-based on the client address/port and destination address/port. It uses reversible mapping to reduce the amount of log messages, while still maintaining the ability for translated IP address to be discovered for troubleshooting and compliance. Deterministic mode also provides an option to configure backup-members.

Port block allocation of translation addresses

Port block allocation (PBA) mode is an option that reduces logging, by logging only the allocation and release of a block of ports. When a subscriber sends a translation request, the BIG-IP system services the request from a block of ports that is assigned to a single IP address, and only logs the allocation and release of that block of ports. The BIG-IP system applies subsequent requests from the service provider to that block of ports until all ports are used.

Important: To use Firewall NAT, you must create a firewall NAT policy, define a matching rule, attach source or destination translation items, and configure the NAT policy at the device level, on a route domain, or on a virtual server.

About Firewall NAT and Carrier Grade NAT (CGNAT)

Firewall NAT on the BIG-IP Advanced Firewall Manager system can be used with Carrier Grade NAT (CGNAT). Firewall NAT policies are not supported with either LTM SNAT pools or CGNAT LSN-pool configurations on a virtual server.
  • If an LTM SNAT pool or CGNAT LSN-pool is applied to a virtual server, a Firewall NAT policy cannot then be applied to that virtual server.
  • If a Firewall NAT policy is applied to a virtual server, an LTM SNAT pool or CGNAT LSN-pool cannot be applied to that virtual server. Note that this extends to all contexts at which the Firewall NAT policy can be applied. For example, if a virtual server uses a Firewall NAT policy that is applied on the route domain, an LTM SNAT pool or CGNAT LSN-pool cannot then be applied to that virtual server.

About specifying source translations for Firewall NAT

Source Translation items

With Firewall NAT, source translation rules are contained in a source translation item. This item contains address and port information for the translation pools, and configuration information for each source translation type.

Static NAT

Static NAT mode provides simple 1:1 mapping between the destination IP address and the router IP address. An equal number of internal and external IP addresses must be specified. Ports are not translated.

Static PAT

Static PAT (also known as NAPT) mode provides standard address and port translation allowing multiple clients in a private network to access remote networks using the single IP address assigned to their router. For outbound packets, Static PAT translates the source IP address and source port. For inbound packets, Static PAT translates the destination IP address, the destination port, and the IP and transport header checksums. This mode is beneficial for remote access users. NAPT is the default mode for firewall NAT source translation items.

Dynamic PAT

Dynamic PAT mode provides inbound connection configuration options and mapping options.

With Dynamic PAT you can configure inbound connections with endpoint independent filtering, which specifies that the translation attempts to reuse both the address and port mapping (X:x to X':x') for subsequent packets sent from the same internal IP address and port. The BIG-IP system attempts to map X:x to X':x' in every session. This is called Endpoint Independent Mapping in section 4.1 of RFC 4787.

Dynamic PAT also allows you to configure the following mapping modes.

Address pooling paired
Enables all sessions associated with an internal IP address to map to the same external IP address for the duration of the session.
Endpoint independent mapping
Enables use of the same external address and port for all connections from the host, if it uses the same internal port.

Deterministic Mode

With Dynamic PAT, you can configure a source translation item to use deterministic mode. Deterministic mode maps internal addresses to external addresses algorithmically, which significantly reduces the amount of log entries generated, while mapping a subscriber's inside IP address with an outside Internet address and port.

Port Block Allocation Mode

With Dynamic PAT, you can configure a source translation item to use port block allocation (PBA) mode. Port block allocation mode is a translation mode option that reduces logging, by logging only the allocation and release of each block of ports. When a subscriber first establishes a network connection, the BIG-IP system reserves a block of ports on a single IP address for that subscriber. The system releases the block when no more connections are using it. This reduces the logging overhead because the system logs only the allocation and release of each block of ports. When a subscriber first connects, the PBA translation mode applies client port block limits, which the subscriber uses as long as it has addresses allocated. For each subscriber, PBA mode compares the subscriber's allocated number of port blocks to the port block limit for the currently connected pool. If the allocated number of port blocks exceeds the port block limit, then the connection is denied. For example, if a subscriber's allocated number of port blocks is 2, and the port block limit for the currently connected pool is 1, then the connection is denied.

Client Connection Limit

In Dynamic PAT modes, you can configure a client connection limit. This allows you to specify the maximum number of simultaneous translated connections a client or subscriber is allowed to have.

Hairpin Mode

In Dynamic PAT modes, you can configure hairpin mode. When a client sends a packet to another client in the same private network,hairpin mode sends the packet directly to the destination client's private address. The BIG-IP system immediately translates the packet's public-side destination address. Rather than going out to the public network and returning later for translation, the packet takes a "hairpin turn" at the BIG-IP device.

Exclude Addresses

In Dynamic PAT modes, when you add a source or destination translation item, you can specify addresses to exclude from source translation in the Excluded Address field.

Specifying source IP addresses for static NAT

Specify static NAT source IP NAT translations to configure the NAT translation addresses for one-to-one static NAT.
  1. On the Main tab, click Security > Network Address Translation > Source Translation .
    The Source Translation screen opens.
  2. Click Create.
    The New Source Translation screen opens.
  3. In the Name and Description fields, type the name and an optional description.
  4. From the Type list, select Static NAT.
  5. In the Addresses field, add an address or address range on which source translation is performed. Click Add for each address or address range.
  6. From the ICMP Echo list, select whether to enable or disable ICMP echo on translated addresses.
  7. From the Egress interfaces area, specify the egress interfaces on which source translation is enabled or disabled. Select Enabled on or Disabled on to specify the egress interface setting.
    Egress interfaces include tunnels and VLANs.
The new source translation item appears on the Source Translation screen.
Associate the source translation item to a NAT policy, and associate the policy to a virtual server, route domain, or to the global context.

Specifying source IP addresses for static PAT

Specify a static PAT source NAT translation to configure the NAT translation addresses for NAT address and port translation.
  1. On the Main tab, click Security > Network Address Translation > Source Translation .
    The Source Translation screen opens.
  2. Click Create.
    The New Source Translation screen opens.
  3. In the Name and Description fields, type the name and an optional description.
  4. From the Type list, select Static PAT.
  5. In the Addresses field, add an address or address range on which source translation is performed. Click Add for each address or address range.
  6. In the Ports field, add a port or port range on which source translation is performed. Click Add for each port or port range.
  7. From the ICMP Echo list, select whether to enable or disable ICMP echo on translated addresses.
  8. From the Egress interfaces area, specify the egress interfaces on which source translation is enabled or disabled. Select Enabled on or Disabled on to specify the egress interface setting.
    Egress interfaces include tunnels and VLANs.
The new source translation item appears on the Source Translation screen.
Associate the source translation item to a NAT policy, and associate the policy to a virtual server, route domain, or to the global context.

Specifying source IP addresses for deterministic dynamic PAT

Deterministic address translation mode provides address translation that eliminates logging of every address mapping, while still allowing internal client address tracking using only an external address and port, and a destination address and port. Deterministic mode allows unique identification of the internal client address based on: external address and port (the address and port visible to the destination server), destination address and port (the service accessed by the client), and time. Use Deterministic mode to significantly reduce the logging burden, while mapping a subscriber's inside IP address with an outside Internet address and port.
  1. On the Main tab, click Security > Network Address Translation > Source Translation .
    The Source Translation screen opens.
  2. Click Create.
    The New Source Translation screen opens.
  3. In the Name and Description fields, type the name and an optional description.
  4. From the Type list, select Dynamic PAT.
  5. In the Addresses field, add an address or address range on which source translation is performed. Click Add for each address or address range.
  6. In the Ports field, add a port or port range on which source translation is performed. Click Add for each port or port range.
  7. From the ICMP Echo list, select whether to enable or disable ICMP echo on translated addresses.
  8. From the PAT Mode list, select Deterministic.
  9. From the Inbound Mode list, select the persistence setting for NAT translation entries.
    • None disables persistence. With this setting, the mapping of address X and port x (X:x) to address:port X':x' is never guaranteed to persist from one session to the next.
    • Endpoint Independent Filtering specifies that the translation attempts to reuse both the address and port mapping (X:x to X':x') for subsequent packets sent from the same internal IP address and port. The BIG-IP system attempts to map X:x to X':x' in every session. This is called Endpoint Independent Mapping in RFC 4787, section 4.1.
  10. From the Mapping Mode list, select the mapping mode to determine how dynamic ports are assigned, and specify the timeout in seconds for the mapping mode.
    • Select Address Pooling Paired to enable all the sessions associated with an internal IP address to map to the same external IP address for the duration of the session.
    • Select Endpoint Independent Mapping to assign the same external address and port for all connections from the host if it uses the same internal port.
    • Select None to assign no mapping mode to dynamic port assignments.
  11. If required, in the Client Connection Limit field, specify the maximum number of simultaneous translated connections a client or subscriber is allowed to have.
    The default value of 0 specifies no limit.
  12. From the Hairpin Mode list, enable or disable hairpin mode.
    When a client sends a packet to another client in the same private network, hairpin mode sends the packet directly to the destination client's private address; the BIG-IP system immediately translates the packet's public-side destination address. Rather than going out to the public network and coming back later for translation, the packet takes a hairpin turn at the BIG-IP device.
  13. From the Egress interfaces area, specify the egress interfaces on which source translation is enabled or disabled. Select Enabled on or Disabled on to specify the egress interface setting.
    Egress interfaces include tunnels and VLANs.
  14. In the Backup Address field, specify backup IP addresses.
    This setting creates a pool of IP addresses available for backup members, which are used if Deterministic mode translation fails and falls back to NAPT mode. This is a collection of IP prefixes with their prefix lengths. You can type backup members in the Add a Backup IP Address field, and click Add.
  15. Click Submit.
The new source translation item appears on the Source Translation screen.
Associate the source translation item to a NAT policy, and associate the policy to a virtual server, route domain, or to the global context.

Specifying source IP addresses for dynamic PAT with NAPT

Specify a dynamic PAT source NAT translation to configure the NAT translation addresses for NAT address and port translation for deterministic mode, which reduces logging of address mapping, while still allowing internal client address tracking using only an external address and port, and a destination address and port.
  1. On the Main tab, click Security > Network Address Translation > Source Translation .
    The Source Translation screen opens.
  2. Click Create.
    The New Source Translation screen opens.
  3. In the Name and Description fields, type the name and an optional description.
  4. From the Type list, select Dynamic PAT.
  5. In the Addresses field, add an address or address range on which source translation is performed. Click Add for each address or address range.
  6. In the Exclude Addresses field, specify addresses to exclude from source translation. Click Add for each address or address range.
  7. In the Ports field, add a port or port range on which source translation is performed. Click Add for each port or port range.
  8. From the ICMP Echo list, select whether to enable or disable ICMP echo on translated addresses.
  9. From the PAT Mode list, select Deterministic.
  10. From the Inbound Mode list, select the persistence setting for NAT translation entries.
    • None disables persistence. With this setting, the mapping of address X and port x (X:x) to address:port X':x' is never guaranteed to persist from one session to the next.
    • Endpoint Independent Filtering specifies that the translation attempts to reuse both the address and port mapping (X:x to X':x') for subsequent packets sent from the same internal IP address and port. The BIG-IP system attempts to map X:x to X':x' in every session. This is called Endpoint Independent Mapping in RFC 4787, section 4.1.
  11. From the Mapping Mode list, select the mapping mode to determine how dynamic ports are assigned, and specify the timeout in seconds for the mapping mode.
    • Select Address Pooling Paired to enable all the sessions associated with an internal IP address to map to the same external IP address for the duration of the session.
    • Select Endpoint Independent Mapping to assign the same external address and port for all connections from the host if it uses the same internal port.
    • Select None to assign no mapping mode to dynamic port assignments.
  12. If required, in the Client Connection Limit field, specify the maximum number of simultaneous translated connections a client or subscriber is allowed to have.
    The default value of 0 specifies no limit.
  13. From the Hairpin Mode list, enable or disable hairpin mode.
    When a client sends a packet to another client in the same private network, hairpin mode sends the packet directly to the destination client's private address; the BIG-IP system immediately translates the packet's public-side destination address. Rather than going out to the public network and coming back later for translation, the packet takes a hairpin turn at the BIG-IP device.
  14. From the Egress interfaces area, specify the egress interfaces on which source translation is enabled or disabled. Select Enabled on or Disabled on to specify the egress interface setting.
    Egress interfaces include tunnels and VLANs.
  15. Click Submit.
The new source translation item appears on the Source Translation screen.
Associate the source translation item to a NAT policy, and associate the policy to a virtual server, route domain, or to the global context.

Specifying source IP addresses for port block allocation mode

Specify a dynamic PAT source NAT translation to configure the NAT translation addresses for NAT address and port translation for port block allocation (PBA) mode, which reduces logging of address mapping, by assigning a block of ports to a translated address and port.
  1. On the Main tab, click Security > Network Address Translation > Source Translation .
    The Source Translation screen opens.
  2. Click Create.
    The New Source Translation screen opens.
  3. In the Name and Description fields, type the name and an optional description.
  4. From the Type list, select Dynamic PAT.
  5. In the Addresses field, add an address or address range on which source translation is performed. Click Add for each address or address range.
  6. In the Ports field, add a port or port range on which source translation is performed. Click Add for each port or port range.
  7. From the ICMP Echo list, select whether to enable or disable ICMP echo on translated addresses.
  8. From the PAT Mode list, select Port Block Allocation.
  9. From the Inbound Mode list, select the persistence setting for NAT translation entries.
    • None disables persistence. With this setting, the mapping of address X and port x (X:x) to address:port X':x' is never guaranteed to persist from one session to the next.
    • Endpoint Independent Filtering specifies that the translation attempts to reuse both the address and port mapping (X:x to X':x') for subsequent packets sent from the same internal IP address and port. The BIG-IP system attempts to map X:x to X':x' in every session. This is called Endpoint Independent Mapping in RFC 4787, section 4.1.
  10. From the Mapping Mode list, select the mapping mode to determine how dynamic ports are assigned, and specify the timeout in seconds for the mapping mode.
    • Select Address Pooling Paired to enable all the sessions associated with an internal IP address to map to the same external IP address for the duration of the session.
    • Select Endpoint Independent Mapping to assign the same external address and port for all connections from the host if it uses the same internal port.
    • Select None to assign no mapping mode to dynamic port assignments.
  11. If required, in the Client Connection Limit field, specify the maximum number of simultaneous translated connections a client or subscriber is allowed to have.
    The default value of 0 specifies no limit.
  12. From the Hairpin Mode list, enable or disable hairpin mode.
    When a client sends a packet to another client in the same private network, hairpin mode sends the packet directly to the destination client's private address; the BIG-IP system immediately translates the packet's public-side destination address. Rather than going out to the public network and coming back later for translation, the packet takes a hairpin turn at the BIG-IP device.
  13. From the Egress interfaces area, specify the egress interfaces on which source translation is enabled or disabled. Select Enabled on or Disabled on to specify the egress interface setting.
    Egress interfaces include tunnels and VLANs.
The new source translation item appears on the Source Translation screen.
Associate the source translation item to a NAT policy, and associate the policy to a virtual server, route domain, or to the global context.

About specifying destination translations for Firewall NAT

Destination Translation items

With Firewall NAT, destination translation rules are contained in a destination translation item. This item contains address and port information for the translation pools, and configuration information for each destination translation type.

Static NAT

Static NAT mode provides simple 1:1 mapping between the destination IP address and the router IP address. An equal number of internal and external IP addresses must be specified. Ports are not translated.

Static PAT

Static PAT (also known as NAPT) mode provides standard address and port translation allowing a single IP address to access remote networks using the single IP address assigned to their router. For outbound packets, Static PAT translates the source IP address and source port. This mode is beneficial for remote access users.

Specifying destination IP addresses for static NAT

Add a static NAT destination translation to a Firewall NAT policy to configure the NAT translation addresses for one-to-one mapping of internal destination addresses to external destination addresses.
  1. On the Main tab, click Security > Network Address Translation > Destination Translation .
    The Destination Translation screen opens.
  2. Click Create.
    The New Destination Translation screen opens.
  3. In the Name and Description fields, type the name and an optional description.
  4. From the Type list, select Static NAT.
  5. In the Addresses field, add an address or address range on which destination translation is performed. Click Add for each address or address range.
  6. Click Submit.
The new destination translation item appears on the Destination Translation screen.
Associate the destination translation item to a NAT policy, and associate the policy to a virtual server, route domain, or to the global context.

Specifying destination IP addresses for static PAT

Derfine a Static PAT destination NAT translation to define destination addresses and ports to translate from internal to external addresses.
  1. On the Main tab, click Security > Network Address Translation > Destination Translation .
    The Destination Translation screen opens.
  2. Click Create.
    The New Destination Translation screen opens.
  3. From the Type list, select Static PAT.
  4. In the Addresses field, add an address or address range on which destination translation is performed. Click Add for each address or address range.
  5. In the Ports field, add a port or port range on which destination translation is performed. Click Add for each port or port range.
  6. Click Submit.
The new destination translation item appears on the Destination Translation screen.
Associate the destination translation item to a NAT policy, and associate the policy to a virtual server, route domain, or to the global context.

About creating Firewall NAT policies

Firewall NAT policies collect rules to provide NAT address and port translation for source and destination addresses, including match rules for addresses and protocols, and translation rules for source and destination. You can attach a NAT policy at the device level, a route domain, or to a virtual server.

Creating a NAT policy

Create a NAT policy to attach to the device level, a route domain, or a virtual server, to provide NAT address matching and address and port translation for source and destination addresses.
  1. On the Main tab, click Security > Network Address Translation > Policies .
    The Policies screen opens.
  2. Click Create to create a new policy.
  3. In the Name and Description fields, type the name and an optional description.
  4. Click Add Rule to add a NAT rule to the policy.
    Click the arrow next to Add Rule if you want to choose whether to add the rule at the beginning or end of the list. Note that a rule must be selected to add a rule before or after it.
    A blank rule appears in the policy.
You have now configured a NAT policy.

Creating a NAT match rule

You can create a NAT match rule in a NAT policy, to identify traffic flows to which the system applies the NAT source and destination translation items.
  1. On the Main tab, click Security > Network Address Translation > Policies .
    The Policies screen opens.
  2. From the policy list, click the name of the NAT policy to which to add the rule.
    The NAT policy screen opens.
  3. Click Add Rule to add a NAT rule to the policy.
    Click the arrow next to Add Rule if you want to choose whether to add the rule at the beginning or end of the list. Note that a rule must be selected to add a rule before or after it.
    A blank rule appears in the policy.
  4. In the Name and Description fields, type the name and an optional description.
  5. In the State column, select the rule state.
    • Select Enabled to apply the rule on the protocol, addresses, and ports specified.
    • Select Disabled to disable the rule.
  6. In the Protocol column, select the protocol to which the NAT rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    • Select Other and type the port number if the protocol is not listed.
  7. In the Source field, specify the addresses and ports that the rule should match.
    You can type an IP address, a contiguous range of IP addresses, an IP subnet, a port, a range of ports, a geographic location, a subscriber or subscriber group, an address list, or port list. After you complete an entry, click Add.
    Important: You cannot specify a mix of IPv6 and IPv4 address types in a single NAT rule.
  8. In the Destination field, specify the destination addresses and ports that the rule should match.
    You can type an IP address, a contiguous range of IP addresses, an IP subnet, a port, a range of ports, or an address list or port list. After you complete an entry, click Add.
    Important: You cannot specify a mix of IPv6 and IPv4 address types in a single NAT rule.
  9. From the Log Profile list, select a logging profile to apply to the NAT rule.
    Tip: You can configure the logging profile on the virtual server security policy, instead of on the match rule.
  10. Click Commit Changes to System.
    The policy with the updated rule is displayed.
You have now configured a NAT rule to match traffic, and apply NAT translations.

About specifying NAT context for a Firewall NAT policy

You can configure a firewall NAT policy at the global, virtual server, or route domain context. NAT address and port assignment takes place only at the virtual server level, so a Firewall NAT policy configured at the global context applies on each individual virtual server, and a firewall NAT policy configured at the route domain context applies to all virtual servers on that route domain.

NAT policies apply precedence in most-specific to least-specific order. A firewall NAT policy configured on a virtual server takes precedence over a policy configured on the route domain context, or at the global context.

When you specify a NAT policy on a virtual server, you can configure the virtual server to use either the route domain policy, the device policy, or both. Orders of precedence still apply, and the most specific NAT policy is applied.

Adding a global Firewall NAT policy

You can specify a firewall NAT policy at the device level to provide NAT translation for matched traffic on all route domains on the device.
Note: Note that you can override the device policy by assigning a policy to a route domain, and by assigning a policy to a specific virtual server.
  1. On the Main tab, click Security > Options > Network Firewall .
    The Network Firewall screen opens to Firewall Options.
  2. From the Network Address Translation list, select the NAT policy to use for device-level NAT.
  3. Click Update.
    The options are updated.
  4. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  5. Click the name of any virtual server on which you want the Global NAT policy to apply.
  6. On the menu bar, from the Security menu, choose Policies.
  7. To use the global Firewall NAT policy, in the Network Address Translation area, click Use Device Policy.
    The most specific Firewall NAT policy is applied to the context, so a policy applied at the virtual server takes precedence over a route domain policy, which takes precedence over the global policy.
  8. Click Update to save the changes.
You have now configured a NAT policy for the device.

Adding a NAT match rule to the device policy

You can add a NAT match rule to the device NAT policy, to identify traffic flows to which the system applies the NAT source and destination translation items.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. From the Context Filter list, select Global.
  3. Click Add Rule > Add rule to Global to add a NAT rule to the global policy.
    Click the arrow next to Add Rule if you want to choose whether to add the rule at the beginning or end of the list. Note that a rule must be selected to add a rule before or after it.
    A blank rule appears in the policy.
  4. In the Name and Description fields, type the name and an optional description.
  5. In the State column, select the rule state.
    • Select Enabled to apply the rule on the protocol, addresses, and ports specified.
    • Select Disabled to disable the rule.
  6. In the Protocol column, select the protocol to which the NAT rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    • Select Other and type the port number if the protocol is not listed.
  7. In the Source field, specify the addresses and ports that the rule should match.
    You can type an IP address, a contiguous range of IP addresses, an IP subnet, a port, a range of ports, a geographic location, a subscriber or subscriber group, an address list, or port list. After you complete an entry, click Add.
    Important: You cannot specify a mix of IPv6 and IPv4 address types in a single NAT rule.
  8. In the Destination field, specify the destination addresses and ports that the rule should match.
    You can type an IP address, a contiguous range of IP addresses, an IP subnet, a port, a range of ports, or an address list or port list. After you complete an entry, click Add.
    Important: You cannot specify a mix of IPv6 and IPv4 address types in a single NAT rule.
  9. From the Log Profile list, select a logging profile to apply to the NAT rule.
    Tip: You can configure the logging profile on the virtual server security policy, instead of on the match rule.
  10. Click Commit Changes to System.
    The policy with the updated rule is displayed.
You have now configured a NAT rule in the device policy to match traffic, and apply NAT translations.

Configuring a route domain to use Firewall NAT

Before performing this task, confirm that you have a configured Firewall NAT policy.
Assign a Firewall NAT policy to a route domain to use advanced NAT features for address and port translation on a route domain.
  1. On the Main tab, click Network > Route Domains .
    The Route Domain List screen opens.
  2. In the Name column, click the name of the relevant route domain.
  3. On the Main tab, click Security.
    The Route Domain Security screen opens.
  4. From the Network Address Translation list, select the NAT policy to apply to route domain traffic.
    Note: When a NAT policy is specified on a more specific context, that policy is applied. For example, a NAT policy on a route domain takes precedence over a global policy, and a policy on a virtual server takes precedence over a route domain policy.
  5. Click Update.
    The system displays the list of route domains on the BIG-IP system.
  6. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  7. Click the name of any virtual server on which you want the Route Domain NAT policy to apply.
  8. On the menu bar, from the Security menu, choose Policies.
  9. To use the route domain Firewall NAT policy, in the Network address translation area, click Use Route Domain Policy.
    The most specific Firewall NAT policy is applied to the context, so a policy applied at the virtual server takes precedence over a route domain policy, which takes precedence over the global policy.
  10. Click Update to save the changes.
The route domain now applies the NAT policy to matching traffic, when the route domain policy takes precedence.

Adding a NAT match rule to a route domain

You can add a NAT match rule to a route domain NAT policy, to identify traffic flows to which the route domain applies the NAT source and destination translation items.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. From the Context Filter list, select Route Domain.
  3. From the Route Domain list, select the route domain to which you want to add NAT match rules.
  4. Click Add Rule > Add rule to Route Domain to add a NAT rule to the route domain.
    Click the arrow next to Add Rule if you want to choose whether to add the rule at the beginning or end of the list. Note that a rule must be selected to add a rule before or after it.
    A blank rule appears in the policy.
  5. In the Name and Description fields, type the name and an optional description.
  6. In the State column, select the rule state.
    • Select Enabled to apply the rule on the protocol, addresses, and ports specified.
    • Select Disabled to disable the rule.
  7. In the Protocol column, select the protocol to which the NAT rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    • Select Other and type the port number if the protocol is not listed.
  8. In the Source field, specify the addresses and ports that the rule should match.
    You can type an IP address, a contiguous range of IP addresses, an IP subnet, a port, a range of ports, a geographic location, a subscriber or subscriber group, an address list, or port list. After you complete an entry, click Add.
    Important: You cannot specify a mix of IPv6 and IPv4 address types in a single NAT rule.
  9. In the Destination field, specify the destination addresses and ports that the rule should match.
    You can type an IP address, a contiguous range of IP addresses, an IP subnet, a port, a range of ports, or an address list or port list. After you complete an entry, click Add.
    Important: You cannot specify a mix of IPv6 and IPv4 address types in a single NAT rule.
  10. From the Log Profile list, select a logging profile to apply to the NAT rule.
    Tip: You can configure the logging profile on the virtual server security policy, instead of on the match rule.
  11. Click Commit Changes to System.
    The policy with the updated rule is displayed.
You have now configured a NAT rule in the device policy to match traffic, and apply NAT translations.

Configuring Firewall NAT on a virtual server

After you create a firewall NAT policy, you associate that published policy with the virtual server.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, click Security > Policies .
    The screen displays policy settings for the virtual server.
  4. To use the global Firewall NAT policy, in the Network Address Translation area, click Use Device Policy.
    The most specific Firewall NAT policy is applied to the context, so a policy applied at the virtual server takes precedence over a route domain policy, which takes precedence over the global policy.
  5. To use the route domain Firewall NAT policy, in the Network address translation area, click Use Route Domain Policy.
    The most specific Firewall NAT policy is applied to the context, so a policy applied at the virtual server takes precedence over a route domain policy, which takes precedence over the global policy.
  6. From the Policy list, select the Firewall NAT policy to apply to the context.
  7. Click Finished.
The Firewall NAT policy is associated with the virtual server.

Adding a NAT match rule to a virtual server

You can add a NAT match rule to a virtual server policy, to identify traffic flows to which the virtual serve applies the NAT source and destination translation items.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. From the Context Filter list, select Virtual Server.
  3. From the Virtual Server list, select the virtual server to which you want to add NAT match rules.
  4. Click Add Rule > Add rule to Virtual Server to add a NAT rule to the virtual server.
    Click the arrow next to Add Rule if you want to choose whether to add the rule at the beginning or end of the list. Note that a rule must be selected to add a rule before or after it.
    A blank rule appears in the policy.
  5. In the Name and Description fields, type the name and an optional description.
  6. In the State column, select the rule state.
    • Select Enabled to apply the rule on the protocol, addresses, and ports specified.
    • Select Disabled to disable the rule.
  7. In the Protocol column, select the protocol to which the NAT rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    • Select Other and type the port number if the protocol is not listed.
  8. In the Source field, specify the addresses and ports that the rule should match.
    You can type an IP address, a contiguous range of IP addresses, an IP subnet, a port, a range of ports, a geographic location, a subscriber or subscriber group, an address list, or port list. After you complete an entry, click Add.
    Important: You cannot specify a mix of IPv6 and IPv4 address types in a single NAT rule.
  9. In the Destination field, specify the destination addresses and ports that the rule should match.
    You can type an IP address, a contiguous range of IP addresses, an IP subnet, a port, a range of ports, or an address list or port list. After you complete an entry, click Add.
    Important: You cannot specify a mix of IPv6 and IPv4 address types in a single NAT rule.
  10. From the Log Profile list, select a logging profile to apply to the NAT rule.
    Tip: You can configure the logging profile on the virtual server security policy, instead of on the match rule.
  11. Click Commit Changes to System.
    The policy with the updated rule is displayed.
You have now configured a NAT rule in the device policy to match traffic, and apply NAT translations.