Firewall NAT on the BIG-IP® Advanced Firewall Manager™ system supports advanced NAT functionality on the AFM™ system.
NAT matching policies
NAT policies present a configurable collection of NAT matching rules and NAT translation objects, for inbound and outbound connections. The system matches flows and applies NAT rules, after the matching for firewall rules occurs. Firewall NAT allows you to configure a rule to match traffic, to which NAT source and destination translation rules are applied. Source and destination translation items are configured individually, and can be applied to multiple rules and contexts. Generally, overlapping addresses cannot be configured in NAT source or destination rules. However, you can configure overlapping addresses between two Dynamic PAT items that have the PAT mode set to NAPT or Port Block Allocation mode.
Firewall NAT can be used on a system with F5® BIG-IP CGNAT (Carrier-Grade NAT). Firewall NAT policies operate with CGNAT policies when applied on the same virtual server.
NAT contexts and precedence
You can configure a firewall NAT policy at the global, virtual server, or route domain context. NAT address and port assignment takes place only at the virtual server level, so a Firewall NAT policy configured at the global context applies on each individual virtual server, and a firewall NAT policy configured at the route domain context applies to all virtual servers on that route domain.
Similarly, NAT policies apply precedence in most-specific to least-specific order. A firewall NAT policy configured on a virtual server takes precedence over a policy configured on the route domain context, or at the global context.
Translation address persistence
The firewall NAT feature module can assign the same external (translation) address to all connections originated by the same internal client, providing endpoint-independent address mapping.
Efficient logging
Firewall NAT supports log messages that map external addresses and ports back to internal clients for both troubleshooting and compliance with law enforcement/legal constraints.
Network address and port translation
Network address and port translation (NAPT) mode provides standard address and port translation allowing multiple clients in a private network to access remote networks using the single IP address assigned to their router.
Proxy ARP
Currently when using AFM NAT to map a range of client source addresses to a range in the same subnet as the IP address of the egress interface, the BIG-IP system does not proxy ARP for the translated source addresses.
Deterministic assignment of translation addresses
Deterministic mode is an option used to assign translation address, and is port-based on the client address/port and destination address/port. It uses reversible mapping to reduce the amount of log messages, while still maintaining the ability for translated IP address to be discovered for troubleshooting and compliance. Deterministic mode also provides an option to configure backup-members.
Port block allocation of translation addresses
Port block allocation (PBA) mode is an option that reduces logging, by logging only the allocation and release of a block of ports. When a subscriber sends a translation request, the BIG-IP system services the request from a block of ports that is assigned to a single IP address, and only logs the allocation and release of that block of ports. The BIG-IP system applies subsequent requests from the service provider to that block of ports until all ports are used.
Important: To use Firewall NAT, you must create a firewall NAT policy, define a matching rule, attach source or destination translation items, and configure the NAT policy at the device level, on a route domain, or on a virtual server.
FAQs
To use Firewall NAT, you must create a firewall NAT policy, define a matching rule, attach source or destination translation items, and configure the NAT policy at the device level, on a route domain, or on a virtual server.
Does NAT translate ports? ›
With NAT, all communications sent to external hosts actually contain the external IP address and port information of the NAT device instead of internal host IP addresses or port numbers. NAT only translates IP addresses and ports of its internal hosts, hiding the true endpoint of an internal host on a private network.
How does NAT and port address translation work together? ›
In some cases both are changed at once, which is called “twice NAT” in some documentation. Port address translation (PAT) is a special case of NAT in which the source IP addresses for all packets going in one direction are translated to a common address.
Can NAT be used as a firewall? ›
A NAT firewall ensures that only requested internet traffic can pass through a private network. This prevents communication with dangerous devices on the internet. However, while a NAT firewall does provide a private network with a layer of protection, it won't protect you from all viruses.
Is port address translation the same as NAT overload? ›
With Port Address Translation (PAT), a single public IP address is used for all internal private IP addresses, but a different port is assigned to each private IP address. This type of NAT is also known as NAT Overload and is the typical form of NAT used in today's networks.
Does NAT allow port forwarding? ›
NAT – Lightweight and easy-to-use . NET class library to allow port forwarding in NAT devices that support UPNP and PMP.
What is the major benefit of using NAT with Port Address Translation? ›
What is the major benefit of using NAT with Port Address Translation? It allows many internal hosts to share the same public IPv4 address. It provides a pool of public addresses that can be assigned to internal hosts. It allows external hosts access to internal servers.
What is dynamic NAT with Port Address Translation? ›
Port and Address Translation (PAT) is a form of dynamic NAT that maps several private addresses to a single public IP address. It is used when the number of clients exceeds the size of the pool of global addresses. PAT allows you to significantly save address space.
What are the limitations of NAT? ›
only has one IP address. can only refer to one reusable-IP host at any given time, with one IP address, NAT can only provide general in-bound connectivity to one responder in the entire reusable-IP network at a time. Since having one IP address is typical, NAT cannot provide acceptable in-bound connectivity.
Does NAT occur before or after routing? ›
The order in which the transactions are processed using NAT is based on whether a packet is going from the inside network to the outside network or from the outside network to the inside network. Inside to outside translation occurs after routing, and outside to inside translation occurs before routing.
On the way into an interface, NAT applies before firewall rules, so if the destination is translated on the way in (e.g. port forwards or 1:1 NAT on WAN), then the firewall rules must match the translated destination.
Can NAT run out of ports? ›
Dynamic NAT can run out of ports if there are too many simultaneous connections in relation to the IP addresses and the port range you have configured for dynamic NAT. You can increase the available ports for translation by adding a new IP address for your dynamic NAT rule.
What is NAT rule and firewall rule? ›
Firewall rules and NAT rules
Firewall rules allow or drop traffic entering and exiting the network. NAT rules translate IP addresses for traffic the firewall rule allows. So, you must create firewall rules even if you have created NAT rules.
What is port translation in NAT? ›
Port address translation (PAT) is a type of network address translation (NAT) that maps a network's private internal IPv4 addresses to a single public IP address. NAT is a process that routers use to translate internal, nonregistered IP addresses to external, registered IP addresses.
Can NAT change port number? ›
Network address translation (NAT) changes the source or destination IP address or port for packets traversing the firewall. In static source translation (one-to-one source translation), the source IP address of a certain host is always translated using the same specific IP address.
What is the difference between static NAT and port address translation? ›
What is the main difference between NAT and PAT? The main difference is that NAT translates private IP addresses to a public IP address, while PAT also assigns unique port numbers to each session, allowing multiple devices to share a single public IP address.
Does NAT change source port number? ›
Network address translation (NAT) changes the source or destination IP address or port for packets traversing the firewall. In static source translation (one-to-one source translation), the source IP address of a certain host is always translated using the same specific IP address.
What is a NAT used to translate? ›
A Network Address Translation (NAT) is the process of mapping an internet protocol (IP) address to another by changing the header of IP packets while in transit via a router. This helps to improve security and decrease the number of IP addresses an organization needs.
