Configuring Large Scaler NAT64
A large scale NAT64 configuration on a Citrix ADC appliance uses the LSN commands sets. In a large scale NAT64 configuration, the LSN client entity specifies the IPv6 address or IPv6 network address, or ACL6 rules, for identifying IPv6 subscribers. A NAT64 configuration also includes an IPv6 profile, which specifies a NAT64 prefix.
Configuring NAT64 on a Citrix ADC appliance consists of the following tasks:
- Set the global LSN parameters. Global parameters include the amount of Citrix ADC memory reserved for the LSN feature and synchronization of LSN sessions in a high availability setup.
- Create an LSN client entity for identifying traffic from IPv6 subscribers. The LSN client entity refers to a set of IPv6 subscribers. The client entity includes IPv6 addresses or IPv6 network prefixes, or ACL6 rules, for identifying the traffic from these subscribers. An LSN client can be bound to only one LSN group. The command line interface has two commands for creating an LSN client entity and binding a subscriber to the LSN client entity. The GUI combines these two operations on a single screen.
- Create an LSN pool and bind NAT IP addresses to it. An LSN pool defines a pool of NAT IP addresses to be used by the Citrix ADC appliance to perform large scale NAT64. The command line interface has two commands for creating an LSN pool and binding NAT IP addresses to the LSN pool. The GUI combines these two operations on a single screen.
- Create an LSN IP6 profile. An LSN IP6 profile defines the NAT64 prefix for a large scale NAT64 configuration.
- (Optional) Create an LSN Transport Profile for a specified protocol. An LSN transport profile defines various timeouts and limits, such as maximum large scale NAT64 sessions and maximum ports usage that a subscriber can have for a given protocol. You bind an LSN transport profile for each protocol (TCP, UDP, and ICMP) to an LSN group. A profile can be bound to multiple LSN groups. A profile bound to an LSN group applies to all subscribers of an LSN client bound to the same group. By default, one LSN transport profile with default settings for TCP, UDP, and ICMP protocols is bound to an LSN group during its creation. This profile is called the default transport profile. An LSN transport profile that you bind to an LSN group overrides the default LSN transport profile for that protocol.
- (Optional) Create an LSN Application Profile for a specified protocol and bind a set of destination ports to it. An LSN application profile defines the LSN mapping and LSN filtering controls of a group for a given protocol and for a set of destination ports. For a set of destination ports, you bind an LSN profile for each protocol (TCP, UDP, and ICMP) to an LSN group. A profile can be bound to multiple LSN groups. An LSN application profile bound to an LSN group applies to all subscribers of an LSN client bound to the same group. By default, one LSN application profile with default settings for TCP, UDP, and ICMP protocols for all destination ports is bound to an LSN group during its creation. This profile is called a default application profile. When you bind an LSN application profile, with a specified set of destination ports, to an LSN group, the bound profile overrides the default LSN application profile for that protocol at that set of destination ports. The command line interface has two commands for creating an LSN application profile and binding a set of destination ports to the LSN application profile. The GUI combines these two operations on a single screen.
- Create an LSN Group and bind LSN pools, LSN IPv6 profile, (optional) LSN transport profiles, and (optional) LSN application profiles to the LSN group. An LSN group is an entity consisting of an LSN client, an LSN IPv6 profile, LSN pool(s), LSN transport profile(s), and LSN application profiles(s). A group is assigned parameters, such as port block size and logging of LSN sessions. The parameter settings apply to all the subscribers of an LSN client bound to the LSN group. Only one LSN IPv6 profile can be bound to an LSN group, and an LSN IPv6 profile bound to an LSN group cannot be bound to other LSN groups. Only LSN Pools and LSN groups with the same NAT type settings can be bound together. Multiples LSN pools can be bound to an LSN group. Only one LSN client entity can be bound to an LSN group, and an LSN client entity bound to an LSN group cannot be bound to other LSN groups. The command line interface has two commands for creating an LSN group and binding LSN pools, LSN transport profiles, and LSN application profiles to the LSN group. The GUI combines these two operations in a single screen.
Configuration Using the Command Line
You can create different configurations using the command line interface. Follow the steps given below.
To create an LSN client by using the command line interface
At the command prompt, type:
add lsn client <clientname
show lsn client
<!--NeedCopy-->
To bind an IPv6 network or an ACL6 rule to an LSN client by using the command line interface
At the command prompt, type:
bind lsn client <clientname> (-network6 <ipv6_addr|*>| -acl6name <string>)
show lsn client
<!--NeedCopy-->
To create an LAN pool by using the command line interface
At the command prompt, type:
add lsn pool <poolname>
show lsn pool <poolname>
<!--NeedCopy-->
To bind NAT IP addresses to an LSN pool by using the command line interface
At the command prompt, type:
bind lsn pool <poolname> <lsnip>
show lsn pool
<!--NeedCopy-->
Note
For removing NAT IP (LSN IP addresses) addresses from an LSN pool, use the unbind lsn pool command.
To configure an LSN IPv6 profile by using the command line interface
At the command prompt, type:
add lsn ip6profile <name> –type NAT64 -natprefix <ipv6_addr|*>
show lsn ip6profile
<!--NeedCopy-->
To create an LSN transport profile by using the command line interface
At the command prompt, type:
add lsn transportprofile <transportprofilename> <transportprotocol> [-sessiontimeout <secs>] [-finrsttimeout <secs>] [-portquota <positive_integer>] [-sessionquota <positive_integer>] [-portpreserveparity ( ENABLED | DISABLED )] [-portpreserverange (ENABLED | DISABLED )] [-syncheck ( ENABLED | DISABLED )]
show lsn transportprofile
<!--NeedCopy-->
To create an LSN application profile by using the command line interface
At the command prompt, type:
add lsn appsprofile <appsprofilename> <transportprotocol> [-ippooling (PAIRED | RANDOM )] [-mapping <mapping>] [-filtering <filtering>][-tcpproxy ( ENABLED | DISABLED )]
show lsn appsprofile
<!--NeedCopy-->
To bind an application protocol port range to an LSN application profile by using the command line interface
At the command prompt, type:
bind lsn appsprofile <appsprofilename> <lsnport>
show lsn appsprofile
<!--NeedCopy-->
To create an LSN group by using the command line interface
At the command prompt, type:
add lsn group <groupname> -clientname <string> [-nattype ( DYNAMIC | DETERMINISTIC )] [-portblocksize <positive_integer>] [-logging(ENABLED | DISABLED )] [-sessionLogging ( ENABLED | DISABLED )][-sessionSync ( ENABLED | DISABLED )] [-snmptraplimit<positive_integer>] [-ftp ( ENABLED | DISABLED )] [-sipalg ( ENABLED | DISABLED )] [-rtspalg ( ENABLED |DISABLED )] [-ip6profile <string>]
show lsn group
<!--NeedCopy-->
To bind LSN protocol profiles and LSN pools to an LSN group by using the command line interface
At the command prompt, type:
bind lsn group <groupname> (-poolname <string> | -transportprofilename <string> | -httphdrlogprofilename <string> | -appsprofilename <string> | -sipalgprofilename <string> | rtspalgprofilename <string>)
show lsn group
<!--NeedCopy-->
Sample Large Scale NAT64 Configurations
Here are some sample configurations of large scale NAT64:
Simple large scale NAT64 configuration with default settings:
add lsn client LSN-NAT64-CLIENT-1
bind lsn client LSN-NAT64-CLIENT-1 -network6 2001:DB8:5001::/96
add lsn pool LSN-NAT64-POOL-1
bind lsn pool LSN-NAT64-POOL-1 203.0.113.61 - 203.0.113.70
add lsn ip6profile LSN-NAT64-PROFILE-1 -type NAT64 -natprefix 2001:DB8:300::/96
add lsn group LSN-NAT64-GROUP-1 -clientname LSN-NAT64-CLIENT-1 -ip6profile LSN-NAT64-PROFILE-1
bind lsn group LSN-NAT64-GROUP-1 -poolname LSN-NAT64-POOL-1
<!--NeedCopy-->
Simple large scale NAT64 configuration with an extended ACL6 rule for identifying subscribers:
add ns acl6 LSN-NAT64-ACL-2 ALLOW –srcIPv6 = 2001:DB8:5002::20 - 2001:DB8:5002::200
apply acl6s
add lsn client LSN-NAT64-CLIENT-2
bind lsn client LSN-NAT64-CLIENT-2 –acl6name LSN-NAT64-ACL-2
add lsn pool LSN-NAT64-POOL-2
bind lsn pool LSN-NAT64-POOL-2 203.0.113.5-203.0.113.10
add lsn ip6profile LSN-NAT64-PROFILE-2 -type NAT64 -natprefix 2001:DB8:302::/96
add lsn group LSN-NAT64-GROUP-2 -clientname LSN-NAT64-CLIENT-2 -ip6profile LSN-NAT64-PROFILE-2
bind lsn group LSN-NAT64-GROUP-2 -poolname LSN-NAT64-POOL-2
<!--NeedCopy-->
Large scale NAT64 configuration with deterministic NAT resource allocation:
add lsn client LSN-NAT64-CLIENT-7
bind lsn client LSN-NAT64-CLIENT-7 -network6 2001:DB8:1002::7/128
add lsn pool LSN-NAT64-POOL-7 -nattype DETERMINISTIC
bind lsn pool LSN-NAT64-POOL-7 203.0.113.24-203.0.113.27
add lsn ip6profile LSN-NAT64-PROFILE-7 -type NAT64 -natprefix 2001:DB8:307::/96
add lsn group LSN-NAT64-GROUP-7 -clientname LSN-NAT64-CLIENT-7 -ip6profile LSN-NAT64-PROFILE-7 -nattype DETERMINISTIC -portblocksize 256
bind lsn group LSN-NAT64-GROUP-7 -poolname LSN-POOL-7
<!--NeedCopy-->