cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Nat_Thirasutta3
F5 Employee
F5 Employee

Problem this snippet solves:

This iApps creates H.323 ALG configuration including virtual servers, iRules, LSN pools, etc. This H.323 ALG is implemented using iRules (Tcl). It makes use of new CGNAT ALG Toolkit iRules primitive available in BIG-IP 14.1.


The configuration consists of virtual server which intercept H.225 RAS (Registration, Admission, and Status) traffic. The ALG will extract information from H.225 traffic and start listeners for H.225 CS (call signaling) as necessary. The ALG will follow H.245 connection created by H.225 CS if there is any. It will also create flows for media connections based on negotiation happened in H.245 protocol level.


The ALG can also intercept H.225 CS call which happens without H.225 RAS.


Note that this iApps only support public vlan that is in route-domain 0 (default).

How to use this snippet:

This H.323 ALG iApps supports 2 main use cases


1.  NAT44

2.  464XLAT


Note that vlan, route, IP address configuration are not included in the iApps. They may be configured prior to create the application. For vlans, some NAT mode may requires specific cmp-hash mode, for example, PBA and DNAT require cmp-hash as src-ip on private side and cmp-hash as dst-ip on public side.


Configuration for NAT44 and 464XLAT use cases are separated. Configuration objects (including virtual servers, LSN pool, etc) will be created separately and are not shared. Both options can be enabled in the same application.


* * *


To create application for NAT44 use case (see image below), select "yes" in "Enabled H.323 ALG for NAT44" section. 


0151T000002di4sQAA.png



Then enter information for private and public side. For private side, add virtual server to intercept H.225 RAS and H.225 CS (enter vlan, route-domain, port). Enter "allowed source" subnet information.


To support hairpin call, select "yes" to "Create wildcard virtual..." option if there is no existing wildcard virtual that matches hairpin traffic.


For public side, select public vlan, enter LSN pool member addresses and configure translation mode.


* * *


To create application for 464XLAT use case (see image below), select "yes" in "Enabled H.323 ALG for 464XLAT" section. 



0151T000002di4xQAA.png




Follow the same instruction as NAT44 use case. However, use appropriate IPv6 address as needed. The 464XLAT use case also require NAT64 prefix as BIG-IP acts as a PLAT.


* * *


In addition to configuration sections for NAT44 and 464XLAT use case. There are sections for Advance, Logging and Debug options (see image below).



0151T000002di4yQAA.png



For "Advance Options" section:


*   Enforce no H.245 Tunnelling : select yes if you want ALG to try to prevent H.245 tunnelling in H.225 CS

*   Enforce no FastStart : select yes if you want ALG to try to prevent FastStart to be used

*   Choose action for ALG to take when iRules receives message it could not decode


For "Logging Options" section:


*   Set LSN log destination : choose either to write log to local syslog or none


For "Debug Options" section, enable debug log on categories of interest. Note that "per" debug log may produce very detail log information. Debug log option may only be enabled at no load.


This iApps is created on "Wed May 09 04:45:14 GMT 2018"

Tested this on version:

No Version Found
Version history
Last update:
‎04-May-2020 19:25
Updated by:
Contributors