Manual Chapter : Using the Deterministic NAT Log Tool

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Using the Deterministic NAT Log Tool

About the DNAT utility

BIG-IP® deterministic NAT (DNAT) mode allows conservation of log storage for service providers by mapping subscribers to public translation addresses and ports algorithmically so that very little data needs to be stored in logs. The DNAT utility (dnatutil) is necessary for identifying subscribers through calculation of reverse source address and port mapping of deterministic-mode LSN pools, by using the states stored in the log files.

It can interpret logs from version 11.4.0 and later, correctly reverse mapping subscribers or forward mapping possible end-points of the subscriber. DNAT, as of version 11.5 of the BIG-IP system, supports multiple log destinations including, LTM®, Remote Syslog, and Splunk. The DNAT utility can parse logs from any supported DNAT log destination.

The DNAT utility binary can be run either on the BIG-IP system or on any supported Linux host. The DNAT utility package currently supports CentOS 64 and Ubuntu 64 for deployment on Linux systems to support reverse mappings on archived logs. The package is available from the F5® Downloads site (http://support.f5.com/kb/en-us.html).

Downloading the DNAT utility external tool

The deterministic NAT (DNAT) reverse mapping tool can run independently from the BIG-IP® system. Follow these steps to download the dnatutil RPM or Debian file from the F5® Downloads site.
  1. Access the F5 Downloads site at https://downloads.f5.com.
  2. From the Downloads Overview page, click Find a Download.
    The Select a Product Line page displays.
  3. Under Product Line, click the BIG-IP software branch BIG-IP v11.x.
  4. Select BIG-IP version 11.5 from the drop-down menu.
    The system selects the most recent version of software, by default.
  5. From the Name column, select dnatutil.
    A Software Terms and Conditions page appears.
  6. Read the End User Software License Agreement (EULA) and either accept the license by clicking I Accept, or cancel the process by clicking Cancel.
    If you accept the EULA, the Select a Download page appears with a table detailing the file name, product description, and size of the file. You should see three files:
    • dnatutil.rpm
    • dnatutil.deb
    • readme.txt
  7. Select the file you would like to download.
Now that you have downloaded the DNAT utility RPM/Debian package, you can now use dnatutil for forward and reverse mappings.

Using the DNAT utility external tool for reverse mappings

To discover the subscriber address, you need to have at least the NAT/public address and port that you would like to translate. It is preferable to have the date, time, and NAT/public address, port, and the archived logs with the state information you wish to use.

Deterministic NATs (DNATs) can reduce total log file size but require use of the DNAT utility (dnatutil) to decipher the mapping. With dnatutil, you can calculate forward end-points and reverse client address and port mapping of an LSN pool using deterministic mode based on the state stored in the specified log file.
  1. Download the BIG-IP® version 11.x RPM or Debian file from the F5® Downloads web site (https://downloads.f5.com) to a preferred location.
  2. Using the command line, type install -Uvh <rpm> to install the RPM file.
  3. Type dnatutil with the date, time, NAT/public address, and port that you want to translate.
    dnatutil –-file /var/log/messages  --start_time "2013-10-02 15:21:12" –-end_time "2013-10-02 15:22:42" 1.1.1.1:1234
  4. Press enter.
    If the BIG-IP platform is located in a different time zone than the receiving log server, messages might not be correctly interpreted. TZ is an environmental variable that specifies the timezone. If not specified, the local timezone is used.
    # dnatutil  --file ltm 1.1.7.1:1025
    From (1365014711): 2013-04-03 18:45:11 GMT
    Reverse mapping for ::,80 -> 1.1.7.1,1025
    Using cmp-hash 'dst-ip' and TMM 1:10.10.10.11    
                        
    The log entry will show the source prefix, destination prefix (public address), and the subscriber IP address for the time range.
You now have the basic details for deciphering deterministic log files using the DNAT utility.

Using DNAT utility to look up deterministic NAT mappings on the BIG-IP system

You should have a knowledge of navigating in tmsh before using the DNAT utility (dnatutil). For detailed information about navigating in tmsh, see the Traffic Management Shell (tmsh) Reference Guide.
Deterministic NATs can reduce total log file size but require use of the dnatutil (available in tmsh) to decipher the mapping. With the dnatutil, you can calculate forward and reverse source address and port mapping of an LSN pool using deterministic mode based on the state stored in the specified TMM log file.
  1. Use an SSH tool to access the BIG-IP® system from the command line.
  2. At the command line, type: tmsh.
    This starts tmsh in interactive shell mode and displays the prompt: (tmos)#.
  3. Note: If you do not provide a file and you are on a BIG-IP system, it will default to the LTM® log.
    To show a list of translation address/port pairs used for a subscriber at 10.0.0.1:4321 connecting to 65.61.115.222:80, using the deterministic NAT states contained in /var/log/ltm, type the command: run util dnat --file /var/log/ltm --client_addr 10.0.0.1 --client_port 4321 --server_addr 65.61.115.222 --action forward
    Replace these example addresses with your actual client and server.
    This displays a list of the address/port pairs.
  4. To calculate a reverse mapping back to the subscriber address for the connection between 173.240.102.139:5678 and 65.61.115.222:80, using the DNAT states contained in /var/log/ltm.1, type the command: run util dnat --file /var/log/ltm.1 --server_addr 65.61.115.222 --client_addr 173.240.102.139 --client_port 5678 --action reverse
    This displays the reverse mapping.
  5. For more information about the DNAT utility, type the command: help util dnat at the tmsh prompt.
    The help file for the DNAT utility is displayed.
You now have the basic details for deciphering deterministic log files using the DNAT utility in tmsh.

DNAT utility example commands

This list provides examples of the syntax used in commands for dnatutil.

Command Response
dnatutil 10.0.0.1 --action forward
Shows a list of translation address/port pairs that might be used for a subscriber at 10.0.0.1, using the DNAT states contained in /var/log/ltm.
dnatutil 173.240.102.139:5678
Performs a reverse mapping back to the subscriber address for the connection from 173.240.102.139:5678, using the DNAT states contained in /var/log/ltm.
dnatutil --start_time ’2012-09-27 06:30:00’ --end_time ’2012-09-27 12:10:00’ 173.240.102.139:5678
Performs a reverse mapping back to the subscriber address for the connection from 173.240.102.139:5678, but only shows the subscriber addresses that used the translation within the specified time range.
dnatutil --start_time ’2012-09-27 06:30:00’ --end_time ’2012-09-27 12:10:00’ --file ltmlog-21102013 173.240.102.139:5678
Performs a reverse mapping back to the subscriber address for the connection from 173.240.102.139:5678, showing the subscriber addresses that used the translation within the specified time range, and using the DNAT states contained in /var/log/test.
dnatutil --file /var/log/test
Shows summary information, using the DNAT states contained in /var/log/test.
dnatutil --action summary --start_time ’2012-09-27 06:30:00’ --end_time ’2012-09-27 12:10:00’
Shows summary information, using the DNAT states within the specified time range.