Manual Chapter : Managing NAT Policies and Translations

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Manual Chapter

About NAT policies and translations

You can use network translation address (NAT) policies to translate network addresses. These NAT policies contain rules that contain NAT source translations and NAT destination translations.

You associate a NAT policy with a firewall context by adding it to the NAT Policy property of the firewall context.

You can discover a NAT policy on a BIG-IP® device version 12.1 or later, or create one on a BIG-IQ® Centralized Management system, and then deploy it to a BIG-IP device version 12.1 or later.

Note: When you view differences that include NAT policy changes to the global context, those changes appear under the global-device-context object rather than the global object.

Create a NAT policy

You create a NAT policy to contain rules that contain NAT source translations and NAT destination translations.
  1. Go to the NAT Policies screen: Click Configuration > SECURITY > Network Security > Network Address Translation > NAT Policies .
  2. Click Create.
    The New NAT Policy screen opens with the Properties displayed.
  3. Type a name for the NAT policy in the Name field.
  4. Type an optional description for the NAT policy in the Description field.
  5. If needed, change the default Common partition in the Partition field.
  6. On the left, click Rules and then click Create Rule.
    A new row appears in the table of rules. The row contains a rule template, including defaults, for the new rule.
  7. Click the edit icon to the left of the rule name to edit the default rule properties.
  8. Complete the rule fields as appropriate.
    You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing one of the options available.
  9. Save your changes.
The NAT policy is now defined and can be assigned to a firewall context.

NAT rule properties

This table lists and describes the properties required when configuring NAT policy rules. These rules are similar to rules used in firewall policies, but have a different set of properties.

Property Description
Name Unique, user-provided name for the rule.
Address (Source) Source address or addresses. Select the type of source address from the list:
  • Address. Type a single address in the Address field and then click + to the right of the address field to add it.
  • Address List. In the Address field, type the name of the address list. Alternatively, from the Shared Resources list at the bottom, you can select Address Lists to list those available, and then drag and drop it into the Address field.
  • Address Range. Type the beginning address in the first Address Range field and the ending address in the second Address Range field. Then click + to the right of the address field to add it.
When you are finished, click Save or Save & Close.
Port (Source) Source port or ports. Select the type of port from the list:
  • Port. Type the port in the Port field.
  • Port Range. Type the beginning port in the first Port field and the ending port in the second Port field. Then click + to the right of the address field to add it.
  • Port List. In the Port field, type the name of the port list. Alternatively, from the Shared Resources list at the bottom, you can select Port Lists to list those available and then drag and drop it into the Port field.
When you are finished, click Save or Save & Close.
VLAN (Source) Name of the VLAN physically present on the device (Internal, External, or Any). If you specify a VLAN in a rule without also specifying the VLAN's partition, the deployment task will fail when you attempt to deploy that rule to a firewall. Use the format partition/VLAN or /partition/VLAN. For example: Common/external or /Common/external. When you are finished, click Save or Save & Close.
Address (Destination) Select the type of destination address from the list:
  • Address. Type a single address in the Address field and then click + to the right of the address field to add it.
  • Address List. In the Address field, type the name of the address list. Alternatively, from the Shared Resources list at the bottom, you can select Address Lists to list those available and then drag and drop it into the Address field.
  • Address Range. Type the beginning address in the first Address Range field and the ending address in the second Address Range field.
When you are finished, click Save or Save & Close.
Port (Destination) Destination port or ports. Select the type of port from the list:
  • Port. Type the port in the Port field.
  • Port Range. Type the beginning port in the first Port field and the ending port in the second Port field.
  • Port List. In the Port field, type the name of the port list. Alternatively, from the Shared Resources list at the bottom, you can select Port Lists to list those available and then drag and drop it into the Port field.
When you are finished, click Save or Save & Close.
Description Optional description for the current rule. To add a description, click in the column, type text, and click Save or Add.
Protocol IP protocol to compare against the packet. Select the appropriate protocol from the list and click Save or Save & Close. The default type is Any and the default code is Any.
Note: The type and code combinations are too numerous to document here. For details, consult the F5 Networks DevCentral site, http://devcentral.f5.com, or the documentation for the specific BIG-IP® platform.
State Select whether the rule is enabled or disabled. The field is updated. Click Save or Save & Close to save your changes.
Translated Source Type the name of a NAT Source Translation in the field. Alternatively, from the Shared Resources list at the bottom, you can select NAT Source Translations to list those available and then drag and drop it into the Translated Source field.
Translated Destination Enter the name of a NAT Destination Translations in the field. Alternatively, from the Shared Resources list at the bottom, you can select NAT Destination Translations to list those available and then drag and drop it into the Translated Destination field.
Log Profile Enter the name of a logging profile in the field. This logging profile must already be defined using Logging Profiles in Shared Security and should be pinned to the BIG-IP device using the Shared Security pinning policy.
State Specify whether the rule is enabled or disabled. The field is updated.

Create NAT source translations

You create NAT source translations to use within a network address translation policy rule.
  1. Click Configuration > SECURITY > Network Security > Network Address Translation > NAT Source Translations .
  2. Click Create.
    The New NAT Source Translations screen opens.
  3. Type a name for the NAT source translations in the Name field.
  4. In the Description field, type an optional description for the NAT source translations.
  5. If needed, change the default Common in the Partition field.
  6. From the Type list, specify the type of address translation to use.
    The type of address translation you select determines what additional properties are available.
    • Select Static NAT for static network address translation.
    • Select Static PAT for static network port and address translation.
    • Select Dynamic PAT for dynamic network port and address translation.
  7. If you selected Static NAT for the Type, supply values for the following settings.
    Property Description
    Addresses Add one or more addresses or address ranges by typing them and then clicking the + button. Remove them by clicking the X button next to the address or address range.
    ICMP Echo Specify whether ICMP echoes are available.
    • Select enabled to enable ICMP echoes.
    • Select disabled to disable ICMP echoes.
    Egress Interfaces Specify whether the source address is translated for egressing network traffic, and on what interfaces, such as the /Common/http-tunnel interface.
    • Select Disabled on to disable source address translation for the specified interfaces, and then select the check box for the interfaces to be disabled.
    • Select Enabled on to enable source address translation for the specified interfaces and then select the check box for the interfaces to be enabled.
  8. If you selected Static PAT for the Type, fill in the following settings.
    Property Description
    Addresses Add one or more addresses or address ranges by typing them and then clicking the + button. Remove them by clicking the X button next to the address or address range.
    Ports Add one or more ports or port ranges by typing them and then clicking the + button. Remove them by clicking the X button next to the port or port range.
    ICMP Echo Specify whether ICMP echoes are available.
    • Select enabled to enable ICMP echoes.
    • Select disabled to disable ICMP echoes.
    Egress Interfaces Specify whether egress interfaces are available.
    • Select Disabled on to disable egress filtering interfaces.
    • Select Enabled on to disable egress filtering interfaces.
  9. If you selected Dynamic PAT for the Type, supply values for the following settings.
    Property Description
    Addresses Add one or more addresses or address ranges by typing them and then clicking the + button. Remove them by clicking the X button next to the address or address range.
    Ports Add one or more ports or port ranges by typing them and then clicking the + button. Remove them by clicking the X button next to the port or port range.
    ICMP Echo Specify whether ICMP echoes are available.
    • Select enabled to enable ICMP echoes.
    • Select disabled to disable ICMP echoes.
    PAT Mode Specify the port address translation mode. The mode you select determines what additional properties are available.
    • Select NAPT (default)
    • Select Deterministic
    • Select Port Block Allocation
    Inbound Mode Specify the inbound mode.
    • Select None to disable inbound mode.
    • Select Endpoint Independent Filtering to use endpoint independent filtering.
    This property is available for all PAT modes.
    Mapping Specify the mapping to use. For all mappings, the default timeout value is 300 seconds, and can be modified. The range is 0 to 31536000 seconds.
    • Select None to disable inbound mode.
    • Select Endpoint Independent Mapping to use endpoint independent filtering.
    • Select Address Pooling Paired to use paired address pooling.
    This property is available for all PAT modes.
    Client Connection Limit Enter a number as the maximum number of client connections allowed. The default is 0, which indicates no connection limit. This property is available for all PAT modes.
    Hairpin mode Enables or disables hairpinning for incoming connections to active translation end-points (address/port combinations). Specify the hairpin mode.
    • Select enabled to enable hairpin mode.
    • Select disabled to not enable hairpin mode.
    This property is available for all PAT modes.
    Backup Addresses Add one or more backup IP addresses by typing them and then clicking the + button. Remove them by clicking the X button next to the address This property is available when the deterministic PAT mode is set.
    Port Block Allocation Specify numeric values for one or more of the following fields; the default is to not have a value set:
    • Block Idle Timeout. The range is 30 31536000 seconds.
    • Block Life Time. The range is 0 to 31536000 seconds.
    • Block Size. Must be 1 or greater, and less than or equal to the number of ports in the port range.
    • Client Block Limit. Must be 1 or greater.
    • Zombie Timeout. Must be 0 to 31536000 seconds.
    This property is available when the port block allocation PAT mode is set.
    Egress Interfaces Specify whether egress interfaces are available.
    • Select Disabled on to disable egress filtering interfaces.
    • Select Enabled on to disable egress filtering interfaces.
    PCP Specify the PCP profile to use.
    • In the Profile setting, select the PCP profile to use.
    • Specify either a self IP or a DS-Lite tunnel where PCP requests can be sent.
      • Select Self IP, and then select a self IP address.
      • Select DSlite, and then select a DS-Lite tunnel.
    Note: DS-Lite tunnels cannot be created by BIG-IQ® Centralized Management. You must create them on the BIG-IP® device and then import them to BIG-IQ Centralized Management.
  10. Save your work.
The NAT source translations are now defined, and you can assign them to a rule used by a NAT policy.

Creating NAT destination translations

You create NAT destination translations to use within a NAT policy rule.
  1. Click Configuration > SECURITY > Network Security > Network Address Translation > NAT Destination Translations .
  2. Click Create.
    The NAT Destination Translations - New Item screen opens.
  3. Type a name for the NAT destination translations in the Name field.
  4. In the Description field, type an optional description for the NAT destination translations.
  5. If needed, in the Partition field change the default Common partition.
  6. From the Type list, select the type of address translation to use. The type of address translation you select determines what additional properties are available.
    • Select Static NAT for static network address translation.
    • Select Static PAT for static network port and address translation.
  7. If you selected Static NAT or Static PAT for the Type setting, supply values for the Addresses setting.
    • Add one or more addresses or address ranges by typing them in, and then clicking the + button.
    • Remove the address or address range by clicking the X button next to it.
  8. If you selected Static PAT from the Type list, supply values for the Ports setting.
    • Add one or more ports or port ranges by typing them in and then clicking the + button.
    • Remove the port or port range by clicking the X button next to it.
  9. Click Save to save the NAT destination translations, or click Save & Close to save the NAT destination translations and return to the NAT Destination Translations screen.
The NAT destination translations are now defined and can be assigned to a rule used by a NAT policy.