security nat policy
security nat policy(1) BIG-IP TMSH Manual security nat policy(1)
NAME
policy - Configures nat policy.
MODULE
security nat
SYNTAX
Modify the policy component within the security nat module using the
syntax shown in the following sections.
CREATE/MODIFY
create policy [name]
modify policy [name]
options:
app-service [[string] | none]
description [string]
rules [add | delete | modify | replace-all-with] {
[ [name] ] {
options:
app-service [[string] | none]
description [string]
ip-protocol [protocol name]
log-profile [name | none]
place-after [first | last | [rule name]]
place-before [first | last | [rule name]]
status [disabled | enabled]
destination {
address-lists [add | default | delete | replace-all-with] {
[address list names...]
}
address-lists none
addresses [add | default | delete | replace-all-with] {
[ [ip address] | [ip address/prefixlen] ]
}
addresses none
port-lists [add | default | delete | replace-all-with] {
[port list names...]
}
port-lists none
ports [add | default | delete | none | replace-all-with] {
[ [port] | [port1-port2] ]
}
ports none
proxy-arp [enabled | disabled]
route-advertisement [enabled | disabled]
}
source {
address-lists [add | default | delete | replace-all-with] {
[address list names...]
}
address-lists none
addresses [add | default | delete | replace-all-with] {
[ [ip address] | [ip_address/prefixlen] ]
}
addresses none
port-lists [add | default | delete | replace-all-with] {
[port list names...]
}
port-lists none
ports [add | default | delete | replace-all-with] {
[ [port] | [port1-port2] ]
}
ports none
vlans [add | default | delete | replace-all-with] {
[vlan names...]
}
vlans none
}
translation {
destination [name | none]
source [name | none]
}
}
}
rules none
edit policy
options:
all-properties
non-default-properties
DISPLAY
list policy
show running-config policy
options:
all-properties
non-default-properties
one-line
DESCRIPTION
You can use the policy component to configure a shareable and reusable
set of nat rules which can be associated with a number of configuration
objects of the following types: ltm virtual, security device-context,
net route-domain.
EXAMPLES
create policy p1 rules add {
r1 {
place-before first
ip-protocol tcp
source {
addresses replace-all-with { 192.168.10.0/24 }
ports replace-all-with { 10000-19999 }
}
destination {
addresses replace-all-with { 10.10.10.0/24 }
ports replace-all-with { 80 443 }
}
translation {
destination my_dest_nat
source my_src_nat
}
} }
Creates a rule entry at the beginning of the policy that matches
incoming TCP traffic with source address in the range 192.168.10.0/24,
source port in the range 10000-19999, destination address in the range
10.10.10.0/24, destination port 80 or 443 and if matches, performs the
source translation as per source-translation object named my_src_nat
and destination translation as per destination-translation object named
my_dest_nat.
modify policy p1 rules delete r1
Removes the rule r1 from the policy p1.
list policy
Displays the current list of policy rules.
OPTIONS
description
User defined description.
rules
Adds, deletes, or replaces a NAT rule.
description
User defined description.
destination
address-lists
Specifies a list of address lists (see security firewall
address-list) against which the packet will be compared.
addresses
Specifies a list of addresses and networks against which
the packet will be compared.
port-lists
Specifies a list of port lists (see security firewall
port-list) against which the packet will be compared.
ports
Specifies a list of ports and port ranges against which
the packet will be compared.
proxy-arp
Enable or disable proxy arp for pre-translation
destination addresses.
route-advertisement
Enable or disable route advertisements for pre-
translation destination addresses.
ip-protocol
Specifies the IP protocol against which the packet will be
compared.
log-profile
Specifies the name of the log profile (see security log
profile) that is used to log the translation events triggered
by this NAT rule.
place-after
Specifies that a new rule should be placed after another
rule, first or last. If individual rules are being added (as
opposed to specifying replace-all-with) then place-before or
place-after must be specified.
place-before
Specifies that a new rule should be placed before another
rule, first or last. If individual rules are being added (as
opposed to specifying replace-all-with) then place-before or
place-after must be specified.
source
address-lists
Specifies a list of address lists (see security firewall
address-list) against which the packet will be compared.
addresses
Specifies a list of addresses and networks against which
the packet will be compared.
port-lists
Specifies a list of port lists (see security firewall
port-list) against which the packet will be compared.
ports
Specifies a list of ports and port ranges against which
the packet will be compared.
vlans
Specifies a list of vlans, vlan groups and tunnels
against which the packet will be compared.
status
Specifies whether the rule is enabled or disabled. A rule
that is enabled is always checked. A rule that is disabled is
never checked.
translation
Specifies the translation objects.
destination
Specifies the name of destination translation object
(see security nat destination-translation). If
specified, it is used to perform the destination
address/port translation as per it's settings. If not
specified, the matching traffic's destination
address/port are not translated.
source
Specifies the name of source translation object (see
security nat source-translation). If specified, it is
used to perform the source address/port translation as
per it's settings. If not specified, the matching
traffic's source address/port are not translated.
SEE ALSO
create, edit, list, modify, security firewall address-list, security
firewall port-list, security nat destination-translation, security nat
source-translation, security log profile, tmsh, security device-context
nat-policy
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008, 2012-2013, 2015. All rights
reserved.
BIG-IP 2017-07-17 security nat policy(1)