security nat policy
security nat policy(1) BIG-IP TMSH Manual security nat policy(1)
NAME
policy - Configures nat policy.
MODULE
security nat
SYNTAX
Modify the policy component within the security nat module using the syntax shown in the following sections.
CREATE/MODIFY
create policy [name]
modify policy [name]
options:
app-service [[string] | none]
description [string]
rules [add | delete | modify | replace-all-with] {
[ [name] ] {
options:
app-service [[string] | none]
description [string]
ip-protocol [protocol name]
log-profile [name | none]
place-after [first | last | [rule name]]
place-before [first | last | [rule name]]
status [disabled | enabled]
destination {
address-lists [add | default | delete | replace-all-with] {
[address list names...]
}
address-lists none
addresses [add | default | delete | replace-all-with] {
[ [ip address] | [ip address/prefixlen] ]
}
addresses none
port-lists [add | default | delete | replace-all-with] {
[port list names...]
}
port-lists none
ports [add | default | delete | none | replace-all-with] {
[ [port] | [port1-port2] ]
}
ports none
proxy-arp [enabled | disabled]
route-advertisement [enabled | disabled]
}
source {
address-lists [add | default | delete | replace-all-with] {
[address list names...]
}
address-lists none
addresses [add | default | delete | replace-all-with] {
[ [ip address] | [ip_address/prefixlen] ]
}
addresses none
port-lists [add | default | delete | replace-all-with] {
[port list names...]
}
port-lists none
ports [add | default | delete | replace-all-with] {
[ [port] | [port1-port2] ]
}
ports none
vlans [add | default | delete | replace-all-with] {
[vlan names...]
}
vlans none
}
translation {
destination [name | none]
source [name | none]
}
next-hop {
gw [ip address]
vlan [name | none]
pool [name | none]
type [default | pool | gateway | vlan]
}
}
}
rules none
edit policy
options:
all-properties
non-default-properties
DISPLAY
list policy
show running-config policy
options:
all-properties
non-default-properties
one-line
DESCRIPTION
You can use the policy component to configure a shareable and reusable set of nat rules which can be
associated with a number of configuration objects of the following types: ltm virtual, security device-
context, net route-domain.
EXAMPLES
create policy p1 rules add {
r1 {
place-before first
ip-protocol tcp
source {
addresses replace-all-with { 192.168.10.0/24 }
ports replace-all-with { 10000-19999 }
}
destination {
addresses replace-all-with { 10.10.10.0/24 }
ports replace-all-with { 80 443 }
}
translation {
destination my_dest_nat
source my_src_nat
}
next-hop {
gw 10.10.10.10
pool pool1
vlan internal
type vlan
}
} }
Creates a rule entry at the beginning of the policy that matches incoming TCP traffic with source address in
the range 192.168.10.0/24, source port in the range 10000-19999, destination address in the range
10.10.10.0/24, destination port 80 or 443 and if matches, performs the source translation as per source-
translation object named my_src_nat and destination translation as per destination-translation object named
my_dest_nat.
modify policy p1 rules delete r1
Removes the rule r1 from the policy p1.
list policy
Displays the current list of policy rules.
OPTIONS
description
User defined description.
rules
Adds, deletes, or replaces a NAT rule.
description
User defined description.
destination
address-lists
Specifies a list of address lists (see security firewall address-list) against which the packet
will be compared.
addresses
Specifies a list of addresses and networks against which the packet will be compared.
port-lists
Specifies a list of port lists (see security firewall port-list) against which the packet will
be compared.
ports
Specifies a list of ports and port ranges against which the packet will be compared.
proxy-arp
Enable or disable proxy arp for pre-translation destination addresses.
route-advertisement
Enable or disable route advertisements for pre-translation destination addresses.
ip-protocol
Specifies the IP protocol against which the packet will be compared.
log-profile
Specifies the name of the log profile (see security log profile) that is used to log the translation
events triggered by this NAT rule.
place-after
Specifies that a new rule should be placed after another rule, first or last. If individual rules
are being added (as opposed to specifying replace-all-with) then place-before or place-after must be
specified.
place-before
Specifies that a new rule should be placed before another rule, first or last. If individual rules
are being added (as opposed to specifying replace-all-with) then place-before or place-after must be
specified.
source
address-lists
Specifies a list of address lists (see security firewall address-list) against which the packet
will be compared.
addresses
Specifies a list of addresses and networks against which the packet will be compared.
port-lists
Specifies a list of port lists (see security firewall port-list) against which the packet will
be compared.
ports
Specifies a list of ports and port ranges against which the packet will be compared.
vlans
Specifies a list of vlans, vlan groups and tunnels against which the packet will be compared.
next-hop
Specifies next-hop configuration for NAT rule. All these attributes are mutually exclusive.
gw Specifies a gateway address for the route.
vlan Specifies VLAN name (can be VLAN or VLAN group)
pool Specifies a gateway pool, which allows multiple, load-balanced gateways to be used for the
route.
type Specifies which option to consider when multiple options were provided under next-hop.
status
Specifies whether the rule is enabled or disabled. A rule that is enabled is always checked. A rule
that is disabled is never checked.
translation
Specifies the translation objects.
destination
Specifies the name of destination translation object (see security nat destination-
translation). If specified, it is used to perform the destination address/port translation as
per it's settings. If not specified, the matching traffic's destination address/port are not
translated.
source
Specifies the name of source translation object (see security nat source-translation). If
specified, it is used to perform the source address/port translation as per it's settings. If
not specified, the matching traffic's source address/port are not translated.
SEE ALSO
create, edit, list, modify, security firewall address-list, security firewall port-list, security nat
destination-translation, security nat source-translation, security log profile, tmsh, security device-context
nat-policy
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008, 2012-2013, 2015. All rights reserved.
BIG-IP 2019-08-27 security nat policy(1)