AFM NAT vs LTM NAT

Question

This feature seems to have creeped up somewhere in the 12.x release for AFM? Or maybe it's been there but I've never seen it...&nbsp;
https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/11.htmlconceptid&nbsp;
Anyway are there any documents or articles that discuss what happens if there are conflicting AFM NAT rules vs the LTM NAT Rules? Or even with SNAT?  If I was using my F5 as a gateway to the internet would I still be creating a wildcard VS with SNAT on it to translate private addresses to public or would I use an AFM NAT rule now? Does the order these are applied in reflect the order in which a packet hits each module on the BIG IP?&nbsp;

jwhitespro_1928 · Answer

Also what makes more sense? Have a Virtual Server on the external interface with a public address or having a virtual server on a dmz/internal interface and using AFM (or something) to translate the address to a public address?

vijay_e · Answer

I will answer the 2nd part of the question. Having worked with both Public IP VS and Private IP VS, there really isn't a big difference from a Network/ADC perspective. Some applications may not work well with NAT and hence, may require Public IP VS. Most applications are compatible with NAT and you shouldn't see any difference in performance or functionality in both cases.

peter_mills_697 · Answer

AFM NAT rules are applied after AFM Firewall rules. The functionality of the CGNAT module has been ported to AFM (dynamic-pat) and extended using 1:1 mapping features like static-nat and static-pat because a rule construct is more flexible. An AFM NAT Policy cannot be configured in tandem with other forms of address translation, like SNAT, a LSN pool or Automap since the two workflows are mutually exclusive.

bassam_gohar_26 · Answer

hi peter,&nbsp;
so what is difference between the standalone CGNAT module and CGNAT module that integrated in the AFM NAT ?&nbsp;

peter_mills_697 · Answer

Nothing actually. The same code is used for both.  It is repackaging exercise since AFM users prefer to use ACLs. It also reduces the number of virtual servers required since you can setup a wildcard VIP and use ACL rules to filter the traffic. AFM is also gradually leap frogging the CGNAT module in other respects e.g. by adding support for proxy ARP (both source and destination) and adding other forms of 1:1 static NAT.&nbsp;
dynamic-pat == CGNAT&nbsp;

Forum Discussion

AFM NAT vs LTM NAT

9 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

5. SYN Cookie: LTM Vs AFM

Enriching AFM with public domain Threat Intelligence

Traffic Intelligence in AFM through Categories

Using F5 BIG-IP LTM/AFM and AWAF to block (OFAC) Sanctioned Countries

F5 AFM Source / Destination NAT