security nat source-translation
security nat source-translation(1) BIG-IP TMSH Manual security nat source-translation(1)
NAME
source-translation - Configures a Security NAT source translation object.
MODULE
security nat
SYNTAX
CREATE/MODIFY
create source-translation [name]
modify source-translation [name | all]
options:
addresses [add | delete | modify | none | replace-all-with] {
[ [ip address] [ip prefix] [ip range] ]
}
app-service [[string] | none]
backup-addresses
[add | delete | replace-all-with] {
[ip address/prefix length] ...
}
client-connection-limit [integer value]
description [string]
egress-interfaces
[add | delete | replace-all-with] {
[interface name] ...
}
egress-interfaces-disabled
egress-interfaces-enabled
exclude-addresses [add | delete | modify | none | replace-all-with] {
[ [ip address] [ip prefix] [ip range] ]
}
exclude-address-lists [add | default | delete | none | replace-all-with] {
[address list names...]
}
hairpin-mode [enabled | disabled]
icmp-echo [enabled | disabled]
inbound-mode [endpoint-independent-filtering | explicit | none]
eif-timeout [integer]
pat-mode [deterministic | napt | pba]
pcp {
profile [ name | none ]
selfip [ name | none]
dslite_tunnel [ name | none ]
}
ports [add | delete | modify | none | replace-all-with] {
[ [port] [port-range] ]
}
proxy-arp [enabled | disabled]
route-advertisement [enabled | disabled]
type [dynamic-pat | static-nat | static-pat]
mapping {
mode [address-pooling-paired | endpoint-independent-mapping | none]
timeout [integer]
}
port-block-allocation {
block-idle-timeout [integer]
block-lifetime [integer]
block-size [integer]
client-block-limit [integer]
zombie-timeout [integer]
}
edit source-translation [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list source-translation
list source-translation [ [ [name] | [glob] | [regex] ] ... ]
show running-config source-translation
show running-config source-translation [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
show source-translation
show source-translation [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
detail
field-fmt
DELETE
delete source-translation [name | all]
DESCRIPTION
A source-translation NAT object is a set of IP Address(es) and port numbers that the BIG-IP system uses as
public-side addresses and ports. When this object is assigned to a Security NAT Policy rule (which is
associated to a virtual server), any incoming traffic to this virtual server that matches the rule, will have
their private source addresses (and/or ports) translated to a public address and/or port from this source-
translation object.
EXAMPLES
create source-translation s1 type dynamic-pat pat-mode napt mapping { mode endpoint-independent-mapping
timeout 600 } addresses add { 10.10.20.0/24 } ports add { 4000-5000 } client-connection-limit 100
Creates the source-translation object named s1 that contains the translation addresses in the range of
(addresses) 10.10.20.0/24, translation port range 4000-5000, with a client connection limit of 100 connections
per client. The translated address and port are persisted for 600 seconds. This object operates in NAPT mode
(Network Address and Port Translation mode), which is the default mode if not specified when type is dynamic-
pat.
delete source-translation s1
Deletes the source-translation object named s1.
OPTIONS
app-service
Specifies the name of the application service to which this object belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete this object. Only the application service can modify or delete this object.
addresses
Specifies the set of translation IP addresses available in the pool. This is a collection of IP prefixes
with their prefix lengths. All public-side addresses come from the subnets you enter in this property.
backup-addresses
Specifies translation IP addresses available in the backup pool which is used by DNAT translation mode if
DNAT mode translation fails and falls back to NAPT mode. This is a collection of IP prefixes with their
prefix lengths.
client-connection-limit
The maximum number of simultaneous translated connections a client or subscriber is allowed to have. This
attribute is applicable only if type is set to dynamic-pat.
description
User defined description.
egress-interfaces
The set of interfaces on which the source address translation is allowed or disallowed. If egress-
interfaces-enabled is specified, the source address translation is allowed only on the specified set of
interfaces. If egress-interfaces-disabled is specified, source address translation is disabled on
specified interfaces.
egress-interfaces-disabled
Source address translation is not allowed on the interfaces specified in the egress-interfaces set.
egress-interfaces-enabled
Source address translation is allowed on the interfaces specified in the egress-interfaces set.
exclude-addresses
Specifies the set of addresses excluded from translation IP addresses available in the pool.
exclude-address-lists
Specifies the set of address lists (see security firewall address-list) excluded from translation IP
addresses available in the pool.
glob Displays the items that match the glob expression. See help glob for a description of glob expression
syntax.
hairpin-mode
This attribute is applicable only if type is set to dynamic-pat.
Enable or disable hairpinning for incoming connections.
When a client sends a packet to another client in the same private network, hairpin mode sends the packet
directly to the source client's private address; the BIG-IP system immediately translates the packet's
public-side source address. Rather than going out to the public network and coming back later for
translation, the packet takes a hairpin turn at the BIG-IP device.
icmp-echo
Enable or disable ICMP echo on translated addresses.
inbound-mode
This attribute is applicable only if type is set to dynamic-pat.
Modifies the inbound-connection mode for incoming connections to translation endpoints. A translation
endpoint is the public-side address and port (X':x') for a private-side address (X:x). You can allow one
of the following two algorithms for managing inbound connections:
endpoint-independent-filtering
creates inbound mappings automatically from outbound traffic and allows inbound connections.
Consider an outbound mapping from X:x to X':x'. If a connection comes from X:x through X':x', the
BIG-IP system automatically creates a reverse mapping from X':x' back to X:x. A public-side station
can respond through the X':x' address. This allows the BIG-IP system to provide Endpoint Independent
Filtering (EIF) as defined in section 5 of RFC 4787
().
explicit
Allows inbound connections if and only if there exists an inbound mapping to translate public-side
source address X':x' to client's private address X:x. Users can create Inbound mappings via iRules
or PCP.
none disables inbound connections to translation end-points (X':x'). If there is a mapping of X (a
private-side IP address) to X' (a public-side IP), connections can only go out from X through X'. If
a public-side recipient tries to answer at the client's public-side X' address, the BIG-IP system
does not map X' back to X. The inbound connection never happens.
Port Control Protocol (PCP) is not supported if you use this setting.
eif-timeout
Configurable range of eif-timeout is 3-300 seconds. Default value is 3 seconds. This attribute is only
applicable if a) NAT method is Dynamic PAT (any pat-mode : NAPT/PBA/DNAT) and b) inbound-mode is set to
'endpoint-independent-filtering'.
pat-mode
Specifies which kind of translation address mapping is performed when type is specified as dynamic-pat.
Available options are NAPT, Deterministic, and PBA.
NAPT (Network Address Port Translation) assigns translation addresses and ports in round-robin fashion.
The algorithm first cycles through translation addresses and then through translation ports.
Deterministic
(DNAT) is a reversible translation method. A given client address and port always translates to a
particular public address and port from the source-translation pool. This method has the following
restrictions:
it is only available for NAT44 translations,
it does not support connections through DS-Lite tunnels,
subscriber connections must be received over a VLAN with the property, cmp-hash, set to "source ip,"
the egress to the Internet must be over a VLAN with the property, cmp-hash, set to "dest ip,"
any security NAT rule ("security nat policy") that uses this must have a source property set to an
IP prefix containing fewer than 231 addresses. For example, the source cannot be 0.0.0.0/0.
PBA (Port Block Allocation) assigns 'blocks' of the translation addresses and ports to individual
clients. All client connections are restricted to the allocated port blocks. Only block allocations
and deallocations are logged in order to reduce the volume of logs.
subscriber connections must be received over a VLAN with the property, cmp-hash, set to "source ip,"
the egress to the Internet must be over a VLAN with the property, cmp-hash, set to "dest ip,"
You can access your VLAN configurations through the "net vlan" component. You can find the VLANs
used by your virtual server by showing or listing the "ltm virtual" component.
name Specifies a unique name for the source-translation component. This option is required for the commands
create, delete, and modify.
mapping
These settings are applicable only if type is set to dynamic-pat.
Configure the mapping settings for translation entries. It is the preservation of a public-side IP
address for a client from session to session.
mapping.mode
Configure the mapping mode for translation entries. You can enter address-pooling-paired, endpoint-
independent-mapping, or none.
address-pooling-paired
causes the BIG IP software to attempt to keep the IP address persistent but not necessarily the
port. If a client's private IP address:port combination is X:x, it's public-side address may be X':a
in one session, X':b in the next session, X':c in a third session, and so on.
endpoint-independent-mapping
causes the BIG IP software to attempt to keep the IP address and port persistent. If a client's
private IP address:port combination is X:x, and it's public-side address is X':x' in the first
session, it remains X':x' in all future sessions.
This is called "Endpoint Independent Mapping" in RFC 4787 ().
This is the only supported setting for PCP, which you configure with the pcp property.
none prevents the BIG IP software from attempting any IP address or port mapping. An address:port
combination of X:x is never guaranteed to have the same public-side address or port in two sessions.
mapping.timeout
After the most-recent session where address:port X:x translated to X':x' on the public side, a timer
begins. If the timer expires before X:x has another session, X' or x' may be used as the public side of
another address:port. Use this parameter to set the timeout (in seconds) for address and port mapping.
pcp A Port Control Protocol (PCP) client can set (or at least learn) its own translation (public-side) IP
address and/or port. It can also set the address and/or port of a third-party client. PCP is defined in
RFC 6887 (see ).
pcp.profile
Specifies the PCP profile to use for this LSN pool. This PCP profile defines the settings to use for
communication with PCP clients. Use the create ltm profile pcp command to create a new PCP profile.
PCP requires a profile (defined with this property) and either a pcp.selfip or a pcp.dslite tunnel where
clients can send their PCP requests.
If you remove this profile option, you must specifically remove any pcp.selfip or pcp.dslite tunnel, too.
pcp.selfip
Specifies the PCP Server self-IP address for this LSN pool. The virtual server's clients send their PCP
packets to this address. Use the create net self command to create a self-IP address, then use that
address for this parameter. Choose a self-IP address in a VLAN that is reachable by the virtual server's
clients.
pcp.dslite
Specifies a DS-LITE tunnel for PCP packets. Whenever a client sends a PCP packet through this tunnel, the
BIG-IP device uses the PCP profile you choose with the pcp.profile property.
A DS-LITE tunnel places each IPv4 packet into the payload of an IPv6 packet. The IPv6 packet carries the
IPv4 packet between customer equipment and the BIG-IP system, which then removes the IPv4 packet, uses
NAT to translate its IPv4 addresses, and sends it to its destination.
You cannot use this property if the pat-mode property is set to Deterministic.
port-block-allocation
Configures the port block settings for PBA mode.
port-block-allocation.block-idle-timeout
Configures the time after the last connection using the block is freed that the block assignment expires.
The default value is 3600 seconds.
port-block-allocation.block-lifetime
Configures the timeout after which the block is no longer used for new port allocations. The block
becomes a zombie block. The default is 0 which corresponds to an infinite timeout.
port-block-allocation.block-size
Configures the number of ports in a block. The default value is 64.
port-block-allocation.client-block-limit
Configures the number of blocks that can be assigned to a single subscriber IP address. The default value
is 1.
port-block-allocation.zombie-timeout
Configures the timeout after which connections using the zombie block are killed. After connections are
killed zombie block is freed after port-block-allocation.block-idle-timeout. This parameter is unused
unless the port-block-allocation.block-lifetime is set. The default value is 0 which corresponds to
infinite timeout.
proxy-arp
Enable or disable proxy arp for the translated source IP addresses.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at
sign (@[regular expression]) to indicate that the identifier is a regular expression. See help regex for
a description of regular expression syntax.
ports
Specifies the range of port numbers available for use with translation IP addresses.
route-advertisement
Enable or Disable Route Advertisement for the translated source IP addresses.
type Specifies which kind of translation is performed. Available options are: static-nat, static-pat, and
dynamic-pat.
dynamic-pat
Using this type, BigIP translates a group of private (internal) IP Addresses to a pool of (one or
more) public (external) IP Addresses and also translates ports to reuse the pool of public
addresses. BigIP supports 3 different modes for dynamic-pat which can be specified using option pat-
mode as described above.
static-nat
Using this translation type in the source-translation, only (source) IP Address translation is
performed (and no port translation) for the incoming client traffic that matches the NAT Policy Rule
using this translation object. There is a static (pre-defined) 1:1 mapping between the untranslated
IP Address(es) and the translated IP Address(es) specified in this object (i.e same translation
address (X') is used for all connections originating from the client with untranslated address (X)).
static-pat
Using this translation type in the source-translation, (source) port translation is performed for
the incoming client traffic that matches the NAT Policy Rule using this translation object. There is
a static (pre-defined) 1:1 mapping between the untranslated port(s) and the translated port(s)
specified in this object. In addition, if translation address(es) are specified in the source-
translation, it also performs IP Address translation (in the same fashion as done for static-nat).
SEE ALSO
security nat policy, security nat destination-translation, ltm virtual, create, delete, edit, glob, list, ltm,
modify, regex, reset-stats, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2013, 2015-2016. All rights reserved.
BIG-IP 2019-08-22 security nat source-translation(1)