Manual Chapter : Using ALG Profiles

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Overview: Using the FTP ALG Profile to Transfer Files

The File Transfer Protocol (FTP) application layer gateway (ALG) profile enables you to transfer files between a client and server. The FTP ALG profile supports both active and passive modes, where data connections are initiated either from an FTP server (active mode) or from a client (passive mode). You can transfer files using the FTP protocol by configuring an LSN pool, configuring an FTP profile, and then assigning the LSN pool and FTP profile to a virtual server. The FTP protocol is described in RFC 959.

Task summary

About the FTP profile

The File Transfer Protocol (FTP) profile enables you to transfer files between a client and server, using FTP connections over TCP. The FTP application layer gateway (ALG) supports the FTP protocol's active and passive modes, where data connections are initiated either from an FTP server (active mode) or from a client (passive mode).

You can configure the FTP profile settings, as needed, to ensure compatibility between IPv4 and IPv6 clients and servers, to enable the FTP data channel to inherit the TCP profile used by the FTP control channel, and to use a port other than the default port (20). Additionally, when used with Application Security Manager™ (ASM™), this profile enables the BIG-IP® system to inspect FTP traffic for security vulnerabilities by using an FTP security profile.

FTP Control Channels

Once established, the FTP control channel remains open throughout the FTP session. The FTP control channel and the FTP data channel must both originate from the same IP address.

FTP Data Channels

In active mode, the FTP server initiates data connections. A client informs the server as to what port the client is listening on, and the server connects to the client by using that port.

An example FTP active mode configuration

An example FTP active mode configuration

In this example, an LSN pool is configured with a translation IP address and prefix length of 10.33.1.0/24. The virtual server is configured with an FTP control port using a wildcard address and a specific port: 0.0.0.0:21. The FTP data port is configured to use port 20. The configured translation mode uses the values of the respective port range.

Translation mode Port range
NAPT 2000-3000
DNAT 2000-2200
PBA 2000-2150

In passive mode, the FTP client initiates data connections. The FTP server informs the client as to what port the server is listening on, and the client connects to the server by using that port.

An example FTP passive mode configuration

An example FTP passive mode configuration

In this example, an LSN pool is configured with a translation IP address and prefix length of 10.33.1.0/24. The virtual server is configured with an FTP control port using a wildcard address and a specific port: 0.0.0.0:21. The FTP data port is configured to use port 20. In this example, the configured translation mode uses the values of the respective port range.

Translation mode Port range
NAPT 2000-3000
DNAT 2000-2200
PBA 2000-2150

Creating an LSN pool

The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools .
    The LSN Pool List screen opens.
  2. Click Create.
  3. In the Name field, type a unique name.
  4. In the Configuration area, for the Persistence Mode setting, select Address or Address Port.
  5. For the Member List setting, type an address and a prefix length in the Address/Prefix Length field, and click Add.
    If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix 10.10.10.0/24 overlaps 10.10.10.0/23.
  6. Click Finished.

Creating an FTP profile

You can configure a file transfer protocol (FTP) profile on the BIG-IP® system that transfers files, either in an active or passive mode, and logs related messages.
  1. On the Main tab, click Carrier Grade NAT > ALG Profiles > FTP .
    The FTP screen opens and displays a list of available FTP ALG profiles.
  2. Click Create.
  3. Type a name for the profile.
  4. From the Parent Profile list, select a parent profile.
  5. Select the Custom check box.
  6. Select the Translate Extended check box to ensure compatibility between IPv4 and IPv6 clients and servers when using the FTP protocol. The default is selected.
  7. Select the Inherit Parent Profile check box to enable the FTP data channel to inherit the TCP profile used by the control channel. The check box is clear by default.
    Note: If disabled, the data channel uses FastL4 (BigProto) only.
  8. In the Data Port field, type a number for an alternate port. The default value for the FTP data port is 20.
  9. Click Finished.
An FTP profile is configured on the BIG-IP® system that transfers files, either in an active or passive mode, and logs related messages.

Configuring a CGNAT iRule

You create iRules® to automate traffic forwarding for XML content-based routing. When a match occurs, an iRule event is triggered, and the iRule directs the individual request to an LSN pool, a node, or virtual server.
  1. On the Main tab, click Carrier Grade NAT > iRules .
    The iRule List screen opens.
  2. Click Create.
  3. In the Name field, type a 1 to 31 character name, such as cgn_https_redirect_iRule.
  4. In the Definition field, type the syntax for the iRule using Tool Command Language (Tcl) syntax.
    For complete and detailed information about iRules syntax, see the F5 Networks DevCentral web site (http://devcentral.f5.com).
  5. Click Finished.
You now have an iRule to use with a CGNAT virtual server.

Creating a virtual server using an FTP ALG profile

Virtual servers are matched based on source (client) addresses. Define a virtual server in order to reference an FTP profile and LSN pool.
  1. On the Main tab, click Carrier Grade NAT > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, retain the default setting Standard.
  5. In the Destination Address field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
    Note: The IP address you type must be available and not in the loopback network.
  6. In the Service Port field, type 21 or select FTP from the list.
  7. From the Protocol list, select TCP.
  8. From the Protocol Profile (Client) list, select a predefined or user-defined TCP profile.
  9. From the Protocol Profile (Server) list, select a predefined or user-defined TCP profile.
  10. From the FTP Profile list, select an FTP ALG profile for the virtual server to use.
  11. For the LSN Pool setting, select the pool that this server will draw on for addresses.
  12. Locate the Resources area of the screen; for the Related iRules setting, from the Available list, select the name of the iRule that you want to assign and move the name to the Enabled list.
    This setting applies to virtual servers that reference a profile for a data channel protocol, such as FTP or RTSP.
  13. Click Finished.
The custom CGNAT virtual server appears in the CGNAT Virtual Servers list.

Creating an FTP ALG logging profile

You can create an application layer gateway (ALG) logging profile, and associate it with one or more FTP ALG profiles, to allow you to configure logging options for various events that apply to high-speed logging (HSL) destinations. A logging profile decreases the need to maintain a number of customized profiles where the events are very similar.
  1. On the Main tab, click Carrier Grade NAT > Logging Profiles > ALG .
    The ALG logging profiles screen opens.
  2. Click Create.
    The New ALG Logging Profile screen opens.
  3. In the Name field, type a unique name for the logging profile.
  4. From the Parent Profile list, select a profile from which the new profile inherits properties.
  5. For the Log Settings area, select the Custom check box.
  6. For the Log Settings area, select Enabled for the following settings, as necessary.
    Setting Description
    Start Control Channel Generates event log entries at the start of a control channel connection for an ALG client.
    End Control Channel Generates event log entries at the end of a control channel connection for an ALG client.
    Start Data Channel Generates event log entries at the start of a data channel connection for an ALG client.
    End Data Channel Generates event log entries at the end of a data channel connection for an ALG client.
    Inbound Transaction Generates event log entries of ALG messages triggered by an inbound connection to the BIG-IP® system.
  7. Click Finished.

Configuring an FTP ALG profile

You can associate an FTP ALG profile with a log publisher and logging profile that the BIG-IP® system uses to send log messages to a specified destination.
  1. On the Main tab, click Carrier Grade NAT > ALG Profiles > FTP .
    The FTP screen opens and displays a list of available FTP ALG profiles.
  2. Click the name of an FTP profile.
  3. From the Logging Profile list, select the logging profile the BIG-IP system uses to configure logging options for various ALG events.
    Note: If you configure a Logging Profile, you must also configure a Log Publisher.
  4. Click Finished.

Overview: Using the SIP ALG Profile for Multimedia Sessions

The Session Initiation Protocol (SIP) application layer gateway (ALG) profile enables you to manage peer-to-peer connections through a CGNAT, permitting a client on an external network to initiate and establish a multimedia session with a user on an internal network. You can enable SIP multimedia sessions by configuring an LSN pool, configuring a SIP profile, and then assigning the LSN pool and SIP profile to a virtual server. The SIP protocol is described in RFC 3261.

Task summary

About the SIP ALG profile

The Session Initiation Protocol (SIP) profile establishes connections over TCP, UDP, and SCTP through a CGNAT. It creates the connections by establishing flows for multimedia traffic, and by translating IP addresses included in SIP messages into external IP addresses. As a result, these can be reached by means of a public network. Once a call is established, the SIP ALG creates flows for multimedia traffic (as determined by the advertised address and port combinations on either side of a call), and tears down the flow when the call ends.

You can configure the SIP profile settings, as needed, to provide the following functionality.
  • A maximum message size
  • Closed connection when a BYE transaction completes
  • Use of SIP dialog information
  • High-speed logging (HSL) security checking
  • Association of a SIP virtual server-profile pairing with a SIP proxy functional group
  • Via headers
  • Record-Route headers
  • Real-Time Transport (RTP) proxy style for media relaying
  • Timing for dialog establishment or SIP session tunnel
  • Definition of maximum media sessions, sessions per registration, or registrations
A example SIP ALG configuration

An example SIP ALG configuration

In this example, an LSN pool is configured with a translation IP address and prefix length of 10.33.1.0/24. The virtual server is configured with a register and invite port that use a wildcard destination address and a specific port: 0.0.0.0:560. The SIP RTP data port is configured to use port 886 and the RTCP data port is configured to use port 887. The configured translation mode uses the values of the respective port range.

Translation mode Port range
NAPT 2000-3000
DNAT 2000-2200
PBA 2000-2150

Creating an LSN pool

The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools .
    The LSN Pool List screen opens.
  2. Click Create.
  3. In the Name field, type a unique name.
  4. In the Configuration area, for the Persistence Mode setting, select Address or Address Port.
  5. For the Member List setting, type an address and a prefix length in the Address/Prefix Length field, and click Add.
    If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix 10.10.10.0/24 overlaps 10.10.10.0/23.
  6. Click Finished.

Creating a SIP profile

You can configure a session initiation protocol (SIP) profile on the BIG-IP® system that manages peer-to-peer connections through a CGNAT.
  1. On the Main tab, click Carrier Grade NAT > ALG Profiles > SIP .
    The SIP screen opens and displays a list of available SIP ALG profiles.
  2. Click Create.
  3. Type a name for the profile.
  4. From the Parent Profile list, select a parent profile.
  5. Select the Custom check box.
  6. In the Maximum Size (Bytes) field, type a number to specify the maximum size, in bytes, for a SIP message. The default is 65535 bytes.
  7. Clear the Terminate on BYE check box.
    Important: You must clear the Terminate on BYE check box for a TCP or UDP connection when the BIG-IP system functions as a SIP proxy, configuring the inbound SNAT and consolidating multiple calls into one server-side connection. You should select the Terminate on BYE check box to improve performance only for a UDP connection if each client call comes from a unique IP address and no inbound SNATs are configured.
  8. Select the Dialog Aware check box to gather SIP dialog information, and automatically forward SIP messages belonging to the known SIP dialog. The default is cleared.
  9. Select the Security check box to enable the use of enhanced HSL security checking. The default is cleared.
  10. With the Dialog Aware check box selected, in the Community field, type a string to indicate whether the SIP virtual server-profile pair belongs to the same SIP proxy functional group.
  11. Configure the Insert Via Header settings.
    1. From the Insert Via Header list, select Enabled to insert a Via header in the forwarded SIP request. The default is Disabled.
    2. With the Insert Via Header setting enabled, in the User Via field type a value that the system inserts as the top Via header in a SIP REQUEST message.
  12. Select the Secure Via Header check box to insert a secure Via header in the forwarded SIP request. The default is cleared.
  13. Select the Insert Record-Route Header check box to insert a Record-Route SIP header, which indicates the next hop for the following SIP request messages. The default is cleared.
  14. Configure the Application Level Gateway settings.
    1. From the Application Level Gateway list, select Enabled to provide options for defining ALG settings. The default is Disabled.
    2. From the RTP Proxy Style list, select Symmetric.
    3. In the Dialog Establishment Timeout field, type an interval, in seconds, during which the system attempts to establish a peer-to-peer SIP relationship between two user agents, which facilitates sequencing of messages and proper routing of requests between two user agents. The default is 10.
    4. In the Registration Timeout field, type a time, in seconds, that elapses before the SIP registration process expires. The default is 3600.
      Note: When configuring a SIP profile for use with Port Block Allocation (PBA), the Registration Timeout value must be less than the PBA Block Lifetime value.
    5. In the SIP Session Timeout field, type an idle time, in seconds, after which the SIP session times out. The default is 300.
    6. In the Maximum Media Sessions field, type a maximum number of allowable sessions. The default is 6.
    7. In the Maximum Sessions Per Registration field, type a maximum number of allowable sessions per registration. The default is 50.
    8. In the Maximum Registrations field, type a maximum number of allowable registrations. The default is 100.
  15. Select the SIP Firewall check box to indicate that SIP firewall capability is enabled. The default is cleared.
  16. Click Finished.
A SIP profile is configured on the BIG-IP® system that manages peer-to-peer connections through a CGNAT.

Creating a virtual server using a SIP ALG profile

Virtual servers are matched based on source (client) addresses. Here are the steps to define a virtual server that references a SIP profile and LSN pool.
  1. On the Main tab, click Carrier Grade NAT > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, retain the default setting Standard.
  5. For a network, in the Destination Address field, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 0.0.0.0/0, and an IPv6 address/prefix is ::/0.
  6. In the Service Port field, type 5060.
  7. From the Configuration list, select Advanced.
  8. From the Protocol list, select one of the following:
    • UDP
    • TCP
    • *All Protocols
  9. From the Protocol Profile (Client) list, select a predefined or user-defined profile.
  10. From the Protocol Profile (Server) list, select a predefined or user-defined profile.
  11. From the SIP Profile list, select a SIP ALG profile for the virtual server to use.
  12. For the LSN Pool setting, select the LSN pool that this server uses for addresses.
  13. From the Source Port list, select Change.
  14. Click Finished.
The custom CGNAT virtual server appears in the CGNAT Virtual Servers list.

Creating an empty LSN pool

The CGNAT module must be enabled through the System > Resource Provisioning screen before you can create LSN pools.
Large Scale NAT (LSN) pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools .
    The LSN Pool List screen opens.
  2. Click Create.
  3. In the Name field, type a unique name.
  4. From Persistence Mode, select to persist on Address Port.
    This is the address mode the CGNAT module uses to track and store connection data.
  5. From the Log Publisher list, select the log publisher the BIG-IP system uses to send log messages to a specified destination.
    Important: If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the logpublisher.atomic db variable to false.
  6. Click Finished.
Your empty LSN pool is now ready.

Creating a virtual server using a SIP ALG profile and empty LSN pool

Virtual servers are matched based on source (client) addresses. Here are the steps to define a virtual server that references a SIP profile and LSN pool.
  1. On the Main tab, click Carrier Grade NAT > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, retain the default setting Standard.
  5. In the Source field, type 0.0.0.0/0.
  6. For a host, in the Destination Address field, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 0.0.0.0/0, and an IPv6 address/prefix is ::/0.
  7. In the Service Port field, type the port number 5060 for the service.
  8. From the Configuration list, select Advanced.
  9. From the Protocol list, select one of the following:
    • UDP
    • TCP
    • *All Protocols
  10. From the Protocol Profile (Client) list, select a predefined or user-defined profile.
  11. From the Protocol Profile (Server) list, select a predefined or user-defined profile.
  12. From the SIP Profile list, select the same SIP ALG profile for this virtual server to use as the other virtual server.
  13. For the LSN Pool setting, select the empty pool that this server will use for addresses.
  14. Click Finished.
The custom CGNAT virtual server appears in the CGNAT Virtual Servers list.

Creating an SIP ALG logging profile

You can create an ALG logging profile, and associate it with one or more SIP ALG profiles, to allow you to configure logging options for various events that apply to high-speed logging (HSL) destinations. A logging profile decreases the need to maintain a number of customized profiles where the events are very similar.
  1. On the Main tab, click Carrier Grade NAT > Logging Profiles > ALG .
    The ALG logging profiles screen opens.
  2. Click Create.
    The New ALG Logging Profile screen opens.
  3. In the Name field, type a unique name for the logging profile.
  4. From the Parent Profile list, select a profile from which the new profile inherits properties.
  5. For the Log Settings area, select the Custom check box.
  6. For the Log Settings area, select Enabled for the following settings, as necessary.
    Setting Description
    Start Control Channel Generates event log entries at the start of a control channel connection for an ALG client.
    End Control Channel Generates event log entries at the end of a control channel connection for an ALG client.
    Start Data Channel Generates event log entries at the start of a data channel connection for an ALG client.
    End Data Channel Generates event log entries at the end of a data channel connection for an ALG client.
    Inbound Transaction Generates event log entries of ALG messages triggered by an inbound connection to the BIG-IP® system.
  7. Click Finished.

Configuring an SIP ALG profile

You can associate an SIP ALG profile with a log publisher and logging profile that the BIG-IP® system uses to send log messages to a specified destination.
  1. On the Main tab, click Carrier Grade NAT > ALG Profiles > SIP .
    The SIP screen opens and displays a list of available SIP ALG profiles.
  2. Click the name of an SIP profile.
  3. From the Logging Profile list, select the logging profile the BIG-IP system uses to configure logging options for various ALG events.
    Note: If you configure a Logging Profile, you must also configure a Log Publisher.
  4. Click Finished.

Overview: Using the RTSP ALG Profile to Stream Media

The Real Time Streaming Protocol (RTSP) application layer gateway (ALG) profile enables you to establish streaming multimedia sessions between a client and a server. You can stream multimedia sessions by configuring an LSN pool, configuring an RTSP profile, and then assigning the LSN pool and RTSP profile to a virtual server. The RTSP protocol is described in RFC 2326.

Task summary

About the RTSP ALG profile

The Real Time Streaming Protocol (RTSP) profile enables you to stream multimedia content between a client and server, using RTSP connections over TCP. The RTSP application layer group (ALG) supports the RTSP protocol's control channel to an RTSP server, through which the client requests a file for the server to stream (and controls the streaming of that file with commands like play or pause). The client can request streaming over UDP and provide two listening ports for the server response. The RTSP server responds with a Real-Time Transport Protocol (RTP) data channel port, to stream the requested file, and a Real-Time Control Protocol (RTCP) control channel port, which provides a stream description and status.

Note: You can specify RTP and RTCP port numbers in the RTSP profile, which only apply when a client connects to a Windows Media server. If you configure RTP and RTCP port numbers, both values must be nonzero.

You can configure the RTSP profile settings, as needed.

An example RTSP ALG configuration

An example RTSP ALG configuration

In this example, an LSN pool is configured with a translation IP address and prefix length of 10.33.1.0/24. The virtual server is configured with an RTSP control port using a wildcard address and a specific port: 0.0.0.0:554. The configured translation mode uses the values of the respective port range.

Translation mode Port range
NAPT 2000-3000
DNAT 2000-2200
PBA 2000-2150

Creating an LSN pool

The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools .
    The LSN Pool List screen opens.
  2. Click Create.
  3. In the Name field, type a unique name.
  4. In the Configuration area, for the Persistence Mode setting, select Address or Address Port.
  5. For the Member List setting, type an address and a prefix length in the Address/Prefix Length field, and click Add.
    If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix 10.10.10.0/24 overlaps 10.10.10.0/23.
  6. Click Finished.

Creating an RTSP profile

You can configure a real time streaming protocol (RTSP) profile on the BIG-IP® system that streams multimedia content between a client and server.
  1. On the Main tab, click Carrier Grade NAT > ALG Profiles > RTSP .
    The RTSP screen opens and displays a list of available RTSP ALG profiles.
  2. Click Create.
  3. Type a name for the profile.
  4. From the Parent Profile list, select a parent profile.
  5. Select the Custom check box.
  6. In the RTP Port field, type the port number that a Microsoft Media Services server uses. The default is 0.
    Note: You can specify Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) port numbers in the RTSP profile, which only apply when a client connects to a Windows Media® server. If you configure RTP and RTCP port numbers, both values must be nonzero.
  7. In the RTCP Port field, type the port number that a Microsoft Media Services server uses. The default is 0.
    Note: You can specify Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) port numbers in the RTSP profile, which only apply when a client connects to a Windows Media® server. If you configure RTP and RTCP port numbers, both values must be nonzero.
  8. Click Finished.
An RTSP profile is configured on the BIG-IP® system that streams multimedia content between a client and server.

Configuring a CGNAT iRule

You create iRules® to automate traffic forwarding for XML content-based routing. When a match occurs, an iRule event is triggered, and the iRule directs the individual request to an LSN pool, a node, or virtual server.
  1. On the Main tab, click Carrier Grade NAT > iRules .
    The iRule List screen opens.
  2. Click Create.
  3. In the Name field, type a 1 to 31 character name, such as cgn_https_redirect_iRule.
  4. In the Definition field, type the syntax for the iRule using Tool Command Language (Tcl) syntax.
    For complete and detailed information about iRules syntax, see the F5 Networks DevCentral web site (http://devcentral.f5.com).
  5. Click Finished.
You now have an iRule to use with a CGNAT virtual server.

Creating a virtual server using an RTSP ALG profile

Virtual servers are matched based on source (client) addresses. Here are the steps to define a virtual server that references an RTSP profile and LSN pool.
  1. On the Main tab, click Carrier Grade NAT > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, retain the default setting Standard.
  5. In the Destination Address field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
    Note: The IP address you type must be available and not in the loopback network.
  6. In the Service Port field, type 554 for the service.
  7. From the Protocol list, select TCP.
  8. From the Protocol Profile (Client) list, select a predefined or user-defined TCP profile.
  9. From the Protocol Profile (Server) list, select a predefined or user-defined TCP profile.
  10. From the RTSP Profile list, select an RISP ALG profile for the virtual server to use.
  11. For the LSN Pool setting, select the pool that this server will draw on for addresses.
  12. Locate the Resources area of the screen; for the Related iRules setting, from the Available list, select the name of the iRule that you want to assign and move the name to the Enabled list.
    This setting applies to virtual servers that reference a profile for a data channel protocol, such as FTP or RTSP.
  13. Click Finished.
The custom CGNAT virtual server appears in the CGNAT Virtual Servers list.

Creating an RTSP ALG logging profile

You can create an ALG logging profile, and associate it with one or more RTSP ALG profiles, to allow you to configure logging options for various events that apply to high-speed logging (HSL) destinations. A logging profile decreases the need to maintain a number of customized profiles where the events are very similar.
  1. On the Main tab, click Carrier Grade NAT > Logging Profiles > ALG .
    The ALG logging profiles screen opens.
  2. Click Create.
    The New ALG Logging Profile screen opens.
  3. In the Name field, type a unique name for the logging profile.
  4. From the Parent Profile list, select a profile from which the new profile inherits properties.
  5. For the Log Settings area, select the Custom check box.
  6. For the Log Settings area, select Enabled for the following settings, as necessary.
    Setting Description
    Start Control Channel Generates event log entries at the start of a control channel connection for an ALG client.
    End Control Channel Generates event log entries at the end of a control channel connection for an ALG client.
    Start Data Channel Generates event log entries at the start of a data channel connection for an ALG client.
    End Data Channel Generates event log entries at the end of a data channel connection for an ALG client.
    Inbound Transaction Generates event log entries of ALG messages triggered by an inbound connection to the BIG-IP® system.
  7. Click Finished.

Configuring an RTSP ALG profile

You can associate an RTSP ALG profile with a log publisher and logging profile that the BIG-IP® system uses to send log messages to a specified destination.
  1. On the Main tab, click Carrier Grade NAT > ALG Profiles > RTSP .
    The RTSP screen opens and displays a list of available RTSP ALG profiles.
  2. Click the name of an RTSP profile.
  3. From the Logging Profile list, select the logging profile the BIG-IP system uses to configure logging options for various ALG events.
    Note: If you configure a Logging Profile, you must also configure a Log Publisher.
  4. Click Finished.

Overview: Using the PPTP ALG profile to create a VPN tunnel

The point-to-point tunneling protocol (PPTP) profile enables you to configure the BIG-IP® system to support a secure virtual private network (VPN) tunnel that forwards PPTP control and data connections. You can create a secure VPN tunnel by configuring a PPTP Profile, and then assigning the PPTP profile to a virtual server. The PPTP protocol is described in RFC 2637.

Important: You cannot combine or use the PPTP Profile with another profile other than a TCP Profile. The PPTP Profile must be used separately and independently.

Task summary

About the PPTP ALG profile

The point-to-point tunneling protocol (PPTP) profile enables you to configure the BIG-IP® system to support a secure virtual private network (VPN) tunnel. A PPTP application layer gateway (ALG) forwards PPTP client (also known as PPTP Access Concentrator [PAC]) control and data connections through the BIG-IP system to PPTP servers (also known as PPTP Network Servers [PNSs]), while providing source address translation that allows multiple clients to share a single translation address.

The PPTP profile defines a Transmission Control Protocol (TCP) control connection and a data channel through a PPTP Generic Routing Encapsulation (GRE) tunnel, which manages the PPTP tunnels through CGNAT for NAT44 and DS-Lite, as well as all translation modes, including Network Address Port Translation (NAPT), Deterministic, and Port Block Allocation (PBA) modes.

PPTP control channels

The BIG-IP system proxies PPTP control channels as normal TCP connections. The PPTP profile translates outbound control messages, which contain Call Identification numbers (Call IDs) that match the port that is selected on the outbound side. Subsequently, for inbound control messages containing translated Call IDs, the BIG-IP system restores the original client Call ID. You can use a packet tracer to observe this translation on the subscriber side or on the Internet side. You can also use iRules® to evaluate and manage any headers in the PPTP control channel.

PPTP GRE data channels

The BIG-IP system manages the translation for PPTP GRE data channels in a manner similar to that of control channels. The BIG-IP system replaces the translated Call ID from the Key field of the GRE header with the inbound client's Call ID. You can use a packet tracer to observe this translation, as well.

Important: A PPTP ALG configuration requires a route to the PPTP client in order to return GRE traffic to the PPTP client. A route to the PPTP client is required because GRE traffic (in both directions) is forwarded based on standard IP routing, unlike TCP control connections, which are automatically routed because of the default auto-lasthop=enabled setting.
An example PPTP ALG configuration

An example PPTP ALG configuration

Log messages

The PPTP profile enables you to configure Log Settings, specifically the Publisher Name setting, which logs the name of the log publisher, and the Include Destination IP setting, which logs the host IP address of the PPTP server, for each call establishment, call failure, and call teardown.

Note: If a client, for example, a personal computer (PC) or mobile phone, attempts to create a second concurrent call, then an error message is logged and sent to the client.

PPTP profile log example

This topic includes examples of the elements that comprise a typical log entry.

Description of PPTP log messages

PPTP log messages include several elements of interest. The following examples describe typical log messages.

"Mar 1 18:46:11:PPTP CALL-REQUEST id;0 from;10.10.10.1 to;20.20.20.1 nat;30.30.30.1 ext-id;32456"
"Mar 1 18:46:11:PPTP CALL-START id;0 from;10.10.10.1 to;20.20.20.1 nat;30.30.30.1 ext-id;32456"
"Mar 1 18:46:11:PPTP CALL-END id;0 reason;0 from;10.10.10.1 to;20.20.20.1 nat;30.30.30.1 ext-id;32456"      
Information Type Example Value Description
Timestamp Mar 1 18:46:11 The time and date that the system logged the event message.
Transformation mode PPTP The logged transformation mode.
Command CALL-REQUEST, CALL-START, CALL-END The type of command that is logged.
Client Call ID id;0 The client Call ID received from a subscriber.
Client IP address from;10.10.10.1 The IP address of the client that initiated the connection.
Reason reason;0 A code number that correlates the reason for terminating the connection. The following reason codes apply:
  • 0. The client requested termination, a normal termination.
  • 1. The server requested termination, a normal termination.
  • 2. The client unexpectedly disconnected, where TCP shut down or reset the connection.
  • 3. The server unexpectedly disconnected, where TCP shut down or reset the connection.
  • 4. The client timed out.
  • 5. The server timed out.
Server IP address to;20.20.20.1 The IP address of the server that established the connection.
Note: If Include Destination IP is set to Disabled, then the Server IP address uses the value of 0.0.0.0.
NAT nat;30.30.30.1 The translated IP address.
Translated client Call ID ext-id;32456 The translated client Call ID from the GRE header of the PPTP call.

Creating an LSN pool

The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools .
    The LSN Pool List screen opens.
  2. Click Create.
  3. In the Name field, type a unique name.
  4. In the Configuration area, for the Persistence Mode setting, select Address or Address Port.
  5. For the Member List setting, type an address and a prefix length in the Address/Prefix Length field, and click Add.
    If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix 10.10.10.0/24 overlaps 10.10.10.0/23.
  6. Click Finished.

Creating a PPTP profile

You can configure a point-to-point tunneling protocol (PPTP) profile on the BIG-IP® system to support a secure virtual private network (VPN) tunnel that forwards PPTP control and data connections, and logs related messages.
  1. On the Main tab, click Carrier Grade NAT > ALG Profiles > PPTP .
    The PPTP screen opens and displays a list of available PPTP ALG profiles.
  2. Click Create.
  3. Type a name for the profile.
  4. From the Parent Profile list, select a parent profile.
  5. Select the Custom check box.
  6. From the Publisher Name list, select a log publisher for high-speed logging of messages.
    If None is selected, the BIG-IP system uses the default syslog.
    Important: If you configure a log publisher to use multiple logging destinations, then, by default, all logging destinations must be available in order to log to each destination. Unless all logging destinations are available, no logging can occur. If you want to log to the available logging destinations when one or more destinations become unavailable, you must set the logpublisher.atomic db variable to false.
  7. Optional: From the Include Destination IP list, select whether to include the PPTP server's IP address in log messages.
    Option Description
    Enabled Includes the PPTP server's IP address in log messages for call establishment or call disconnect.
    Disabled Default. Includes 0.0.0.0 as the PPTP server's IP address in log messages for call establishment or call disconnect.
  8. Click Finished.
The PPTP profile displays in the ALG Profiles list on the PPTP screen.

Adding a static route to manage GRE traffic

Perform this task when you want to explicitly add a route for a destination client that is not on the directly-connected network. Depending on the settings you choose, the BIG-IP system can forward packets to a specified network device, or the system can drop packets altogether.

  1. On the Main tab, click Network > Routes .
  2. Click Add.
    The New Route screen opens.
  3. In the Name field, type a unique user name.
    This name can be any combination of alphanumeric characters, including an IP address.
  4. Optional: In the Description field, type a description for this route entry.
  5. In the Destination field, type the destination IP address for the route.
  6. In the Netmask field, type the network mask for the destination IP address.
  7. From the Resource list, specify the method through which the system forwards packets:
    Option Description
    Use Gateway Select this option when you want the next hop in the route to be a network IP address. This choice works well when the destination is a pool member on the same internal network as this gateway address.
    Use Pool Select this option when you want the next hop in the route to be a pool of routers instead of a single next-hop router. If you select this option, verify that you have created a pool on the BIG-IP system, with the routers as pool members.
    Use VLAN/Tunnel Select this option when you want the next hop in the route to be a VLAN or tunnel. This option works well when the destination address you specify in the routing entry is a network address. Selecting a VLAN/tunnel name as the resource implies that the specified network is directly connected to the BIG-IP system. In this case, the BIG-IP system can find the destination host simply by sending an ARP request to the hosts in the specified VLAN, thereby obtaining the destination host’s MAC address.
    Reject Select this option when you want the BIG-IP system to reject packets sent to the specified destination.
  8. In the MTU field, specify in bytes a maximum transmission unit (MTU) for this route.
  9. Click Finished.
A static route is defined to manage GRE traffic to a client.

Creating a virtual server using a PPTP ALG profile

Be sure to disable translate-address and translate-port before creating a PPTP virtual server.
Virtual servers are matched based on source (client) addresses. You define a virtual server that references the CGNAT profile and the LSN pool.
  1. On the Main tab, click Carrier Grade NAT > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, retain the default setting Standard.
  5. For a network, in the Destination Address field, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 0.0.0.0/0, and an IPv6 address/prefix is ::/0.
  6. In the Service Port field, type 1723 or select PPTP from the list.
  7. From the PPTP Profile list, select a PPTP ALG profile for the virtual server to use.
  8. From the VLAN and Tunnel Traffic list, select Enabled on. Then, for the VLANs and Tunnels setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the Available list to the Selected list.
  9. For the LSN Pool setting, select the pool that this server will draw on for translation addresses.
  10. Click Finished.
The custom CGNAT virtual server appears in the CGNAT Virtual Servers list.

Overview: Using the TFTP ALG profile to transfer files

The Trivial File Transfer Protocol (TFTP) profile enables you to configure the BIG-IP® system to read and write files from or to a remote server. The TFTP application layer gateway (ALG) profile is associated with a UDP port 69 virtual server so that a listener is established for incoming TFTP traffic. This allows the protocol to operate across the BIG-IP system. You can transfer files using the TFTP protocol by configuring a TFTP profile, configuring an LSN pool, and then assigning the TFTP profile and LSN pool to a virtual server. The TFTP protocol is described in RFC 1350.

Task summary

About the TFTP ALG profile

The Trivial File Transfer Protocol application layer gateway (TFTP ALG) provides connection management for TFTP. The TFTP profile is configured on a UDP port 69 virtual server. The profile opens a server-side listener so that responses from the server can be returned to the client across the BIG-IP® system. ALG logging can be configured on the profile.

Creating a TFTP ALG profile

You can configure a Trivial File Transfer Protocol (TFTP) on the BIG-IP® system to read and write files from or to a remote server.
  1. On the Main tab, click Carrier Grade NAT > ALG Profiles > TFTP .
    The TFTP screen opens and displays a list of available TFTP ALG profiles.
  2. On the Main tab, click Carrier Grade NAT > ALG Profiles > TFTP .
    The TFTP screen opens and displays a list of available TFTP ALG profiles.
  3. Click Create.
    The New TFTP Profile screen opens.
  4. In the Name field, type a unique name for the TFTP profile.
  5. From the Parent Profile list, select a profile from which the new profile inherits properties.
  6. For the Settings area, select the Custom check box.
  7. In the Settings area, for the Idle Timeout list, type a number to specify the number of seconds after a connection is eligible for deletion; when the connection has no traffic. The default value is 30 seconds.
  8. For the Log Settings area, select the Custom check box.
  9. From the Logging Profile list, select the logging profile the BIG-IP system uses to configure logging options for various ALG events.
    Note: If you configure a Logging Profile, you must also configure a Log Publisher.
  10. Click Finished.

Creating an LSN pool

The carrier-grade NAT (CGNAT) module must be enabled with the appropriate settings before you can create large-scale NAT (LSN) pools.
LSN pools are used by the CGNAT module to allow efficient configuration of translation prefixes and parameters.
  1. On the Main tab, click Carrier Grade NAT > LSN Pools .
    The LSN Pool List screen opens.
  2. Click Create.
  3. In the Name field, type a unique name.
  4. In the Configuration area, for the Persistence Mode setting, select Address or Address Port.
  5. For the Member List setting, type an address and a prefix length in the Address/Prefix Length field, and click Add.
    If your pool uses deterministic mode, ensure that any address ranges you enter as a member do not overlap another member's prefix address ranges. For example, the address and prefix 10.10.10.0/24 overlaps 10.10.10.0/23.
  6. Click Finished.

Creating a virtual server using a TFTP ALG profile

Virtual servers are matched based on source (client) addresses. Create and define a virtual server that references an TFTP profile and LSN pool.
  1. On the Main tab, click Carrier Grade NAT > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, retain the default setting Standard.
  5. In the Destination Address field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
  6. In the Service Port field, type 69 or select TFTP from the list.
  7. From the Configuration list, select Advanced.
  8. From the Protocol list, select UDP.
  9. From the TFTP Profile list, select an TFTP ALG profile for the virtual server to use.
  10. For the LSN Pool setting, select the pool that this server will draw on for addresses.
  11. Click Finished.

Creating a TFTP ALG logging profile

You can create an application layer gateway (ALG) logging profile, and associate it with one or more Trivial File Transfer Protocol (TFTP) ALG profiles, to allow you to configure logging options for various events. A logging profile decreases the need to maintain a number of customized profiles where the events are very similar.
  1. On the Main tab, click Carrier Grade NAT > Logging Profiles > ALG .
    The ALG logging profiles screen opens.
  2. Click Create.
    The New ALG Logging Profile screen opens.
  3. In the Name field, type a unique name for the TFTP profile.
  4. From the Parent Profile list, select a profile from which the new profile inherits properties.
  5. For the Log Settings area, select the Custom check box.
  6. For the Log Settings area, select Enabled for the following settings, as necessary.
    Setting Description
    Start Control Channel Generates event log entries at the start of a control channel connection for an ALG client.
    End Control Channel Generates event log entries at the end of a control channel connection for an ALG client.
    Start Data Channel Generates event log entries at the start of a data channel connection for an ALG client.
    End Data Channel Generates event log entries at the end of a data channel connection for an ALG client.
    Inbound Transaction Generates event log entries of ALG messages triggered by an inbound connection to the BIG-IP® system.
  7. Click Finished.