Applies To:Show Versions
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Using the Deterministic NAT Log Tool
About the DNAT utility
BIG-IP® deterministic NAT (DNAT) mode allows conservation of log storage for service providers by mapping subscribers to public translation addresses and ports algorithmically so that very little data needs to be stored in logs. The DNAT utility (dnatutil) is necessary for identifying subscribers through calculation of reverse source address and port mapping of deterministic-mode LSN pools, by using the states stored in the log files.
It can interpret logs from version 11.4.0 and later, correctly reverse mapping subscribers or forward mapping possible end-points of the subscriber. DNAT, as of version 11.5 of the BIG-IP system, supports multiple log destinations including, LTM®, Remote Syslog, and Splunk. The DNAT utility can parse logs from any supported DNAT log destination.
The DNAT utility binary can be run either on the BIG-IP system or on any supported Linux host. The DNAT utility package currently supports CentOS 64 and Ubuntu 64 for deployment on Linux systems to support reverse mappings on archived logs. The package is available from the F5® Downloads site (http://support.f5.com/kb/en-us.html).
Downloading the DNAT utility external tool
- Access the F5 Downloads site at https://downloads.f5.com.
From the Downloads Overview page, click Find a Download.
The Select a Product Line page displays.
- Under Product Line, click the BIG-IP software branch BIG-IP v11.x.
Select BIG-IP version 11.5 from the drop-down
The system selects the most recent version of software, by default.
From the Name column, select dnatutil.
A Software Terms and Conditions page appears.
Read the End User Software License Agreement (EULA) and either accept the
license by clicking I Accept, or cancel the process by
If you accept the EULA, the Select a Download page appears with a table detailing the file name, product description, and size of the file. You should see three files:
- Select the file you would like to download.
Using the DNAT utility external tool for reverse mappings
To discover the subscriber address, you need to have at least the NAT/public address and port that you would like to translate. It is preferable to have the date, time, and NAT/public address, port, and the archived logs with the state information you wish to use.
- Download the BIG-IP® version 11.x RPM or Debian file from the F5® Downloads web site (https://downloads.f5.com) to a preferred location.
- Using the command line, type install -Uvh <rpm> to install the RPM file.
Type dnatutil with the date, time, NAT/public address,
and port that you want to translate.
dnatutil –-file /var/log/messages --start_time "2013-10-02 15:21:12" –-end_time "2013-10-02 15:22:42" 22.214.171.124:1234
If the BIG-IP platform is located in a different time zone than the receiving log server, messages might not be correctly interpreted. TZ is an environmental variable that specifies the timezone. If not specified, the local timezone is used.
# dnatutil --file ltm 126.96.36.199:1025 From (1365014711): 2013-04-03 18:45:11 GMT Reverse mapping for ::,80 -> 188.8.131.52,1025 Using cmp-hash 'dst-ip' and TMM 1:10.10.10.11The log entry will show the source prefix, destination prefix (public address), and the subscriber IP address for the time range.
Using DNAT utility to look up deterministic NAT mappings on the BIG-IP system
- Use an SSH tool to access the BIG-IP® system from the command line.
At the command line, type: tmsh.
This starts tmsh in interactive shell mode and displays the prompt: (tmos)#.
Note: If you do not provide a file and you are on a BIG-IP system, it will default to the LTM® log.To show a list of translation address/port pairs used for a subscriber at 10.0.0.1:4321 connecting to 184.108.40.206:80, using the deterministic NAT states contained in /var/log/ltm, type the command: run util dnat --file /var/log/ltm --client_addr 10.0.0.1 --client_port 4321 --server_addr 220.127.116.11 --action forwardReplace these example addresses with your actual client and server.This displays a list of the address/port pairs.
To calculate a reverse mapping back to the subscriber address for the
connection between 18.104.22.168:5678 and 22.214.171.124:80, using the DNAT
states contained in /var/log/ltm.1, type the command:
run util dnat --file /var/log/ltm.1 --server_addr 126.96.36.199
--client_addr 188.8.131.52 --client_port 5678 --action
This displays the reverse mapping.
For more information about the DNAT utility, type the command: help
util dnat at the tmsh prompt.
The help file for the DNAT utility is displayed.
DNAT utility example commands
This list provides examples of the syntax used in commands for dnatutil.
dnatutil 10.0.0.1 --action forward
|Shows a list of translation address/port pairs that might be used for a subscriber at 10.0.0.1, using the DNAT states contained in /var/log/ltm.|
|Performs a reverse mapping back to the subscriber address for the connection from 184.108.40.206:5678, using the DNAT states contained in /var/log/ltm.|
dnatutil --start_time ’2012-09-27 06:30:00’ --end_time ’2012-09-27 12:10:00’ 220.127.116.11:5678
|Performs a reverse mapping back to the subscriber address for the connection from 18.104.22.168:5678, but only shows the subscriber addresses that used the translation within the specified time range.|
dnatutil --start_time ’2012-09-27 06:30:00’ --end_time ’2012-09-27 12:10:00’ --file ltmlog-21102013 22.214.171.124:5678
|Performs a reverse mapping back to the subscriber address for the connection from 126.96.36.199:5678, showing the subscriber addresses that used the translation within the specified time range, and using the DNAT states contained in /var/log/test.|
dnatutil --file /var/log/test
|Shows summary information, using the DNAT states contained in /var/log/test.|
dnatutil --action summary --start_time ’2012-09-27 06:30:00’ --end_time ’2012-09-27 12:10:00’
|Shows summary information, using the DNAT states within the specified time range.|