security nat policy
security nat policy(1) BIG-IP TMSH Manual security nat policy(1)
NAME
policy - Configures nat policy.
MODULE
security nat
SYNTAX
Modify the policy component within the security nat module using the syntax shown in the following sections.
CREATE/MODIFY
create policy [name]
modify policy [name]
options:
app-service [[string] | none]
description [string]
rules [add | delete | modify | replace-all-with] {
[ [name] ] {
options:
app-service [[string] | none]
description [string]
ip-protocol [protocol name]
log-profile [name | none]
place-after [first | last | [rule name]]
place-before [first | last | [rule name]]
status [disabled | enabled]
destination {
address-lists [add | default | delete | replace-all-with] {
[address list names...]
}
address-lists none
addresses [add | default | delete | replace-all-with] {
[ [ip address] | [ip address/prefixlen] ]
}
addresses none
port-lists [add | default | delete | replace-all-with] {
[port list names...]
}
port-lists none
ports [add | default | delete | none | replace-all-with] {
[ [port] | [port1-port2] ]
}
ports none
proxy-arp [enabled | disabled]
route-advertisement [enabled | disabled]
}
source {
address-lists [add | default | delete | replace-all-with] {
[address list names...]
}
address-lists none
addresses [add | default | delete | replace-all-with] {
[ [ip address] | [ip_address/prefixlen] ]
}
addresses none
port-lists [add | default | delete | replace-all-with] {
[port list names...]
}
port-lists none
ports [add | default | delete | replace-all-with] {
[ [port] | [port1-port2] ]
}
ports none
vlans [add | default | delete | replace-all-with] {
[vlan names...]
}
vlans none
}
translation {
destination [name | none]
source [automap | name | none]
}
next-hop {
gw [ip address]
vlan [name | none]
pool [name | none]
type [default | pool | gateway | vlan]
}
}
}
rules none
edit policy
options:
all-properties
non-default-properties
DISPLAY
list policy
show running-config policy
options:
all-properties
non-default-properties
one-line
DESCRIPTION
You can use the policy component to configure a shareable and reusable set of nat rules which can be associated with a
number of configuration objects of the following types: ltm virtual, security device-context, net route-domain.
EXAMPLES
create policy p1 rules add {
r1 {
place-before first
ip-protocol tcp
source {
addresses replace-all-with { 192.168.10.0/24 }
ports replace-all-with { 10000-19999 }
}
destination {
addresses replace-all-with { 10.10.10.0/24 }
ports replace-all-with { 80 443 }
}
translation {
destination my_dest_nat
source my_src_nat
}
next-hop {
gw 10.10.10.10
pool pool1
vlan internal
type vlan
}
} }
Creates a rule entry at the beginning of the policy that matches incoming TCP traffic with source address in the range
192.168.10.0/24, source port in the range 10000-19999, destination address in the range 10.10.10.0/24, destination port 80
or 443 and if matches, performs the source translation as per source-translation object named my_src_nat and destination
translation as per destination-translation object named my_dest_nat.
modify policy p1 rules delete r1
Removes the rule r1 from the policy p1.
list policy
Displays the current list of policy rules.
OPTIONS
description
User defined description.
rules
Adds, deletes, or replaces a NAT rule.
description
User defined description.
destination
address-lists
Specifies a list of address lists (see security firewall address-list) against which the packet will be
compared.
addresses
Specifies a list of addresses and networks against which the packet will be compared.
port-lists
Specifies a list of port lists (see security firewall port-list) against which the packet will be compared.
ports
Specifies a list of ports and port ranges against which the packet will be compared.
proxy-arp
Enable or disable proxy arp for pre-translation destination addresses.
route-advertisement
Enable or disable route advertisements for pre-translation destination addresses.
ip-protocol
Specifies the IP protocol against which the packet will be compared.
log-profile
Specifies the name of the log profile (see security log profile) that is used to log the translation events
triggered by this NAT rule.
place-after
Specifies that a new rule should be placed after another rule, first or last. If individual rules are being added
(as opposed to specifying replace-all-with) then place-before or place-after must be specified.
place-before
Specifies that a new rule should be placed before another rule, first or last. If individual rules are being
added (as opposed to specifying replace-all-with) then place-before or place-after must be specified.
source
address-lists
Specifies a list of address lists (see security firewall address-list) against which the packet will be
compared.
addresses
Specifies a list of addresses and networks against which the packet will be compared.
port-lists
Specifies a list of port lists (see security firewall port-list) against which the packet will be compared.
ports
Specifies a list of ports and port ranges against which the packet will be compared.
vlans
Specifies a list of vlans, vlan groups and tunnels against which the packet will be compared.
next-hop
Specifies next-hop configuration for NAT rule. All these attributes are mutually exclusive.
gw Specifies a gateway address for the route.
vlan Specifies VLAN name (can be VLAN or VLAN group)
pool Specifies a gateway pool, which allows multiple, load-balanced gateways to be used for the route.
type Specifies which option to consider when multiple options were provided under next-hop.
status
Specifies whether the rule is enabled or disabled. A rule that is enabled is always checked. A rule that is
disabled is never checked.
translation
Specifies the translation objects.
destination
Specifies the name of destination translation object (see security nat destination-translation). If
specified, it is used to perform the destination address/port translation as per it's settings. If not
specified, the matching traffic's destination address/port are not translated.
source
Specifies the source translation type and source translation object. (see security nat source-translation).
If automap is specified, it is used to perform the source address translation using an available self IP /
floating IP on the egress VLAN. If source translation object is specified, it is used to perform the source
address/port translation as per it's settings. If not specified, the matching traffic's source address/port
are not translated.
SEE ALSO
create, edit, list, modify, security firewall address-list, security firewall port-list, security nat destination-
translation, security nat source-translation, security log profile, tmsh, security device-context nat-policy
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008, 2012-2013, 2015. All rights reserved.
BIG-IP 2020-07-20 security nat policy(1)