Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Network Address Translation Configuration Overview

    Configuring Source and Destination Addresses Network Address Translation Overview

    You must configure a specific address, a prefix, or the address-range boundaries:

    • The following addresses, while valid in inet.0, cannot be used for NAT translation:
      • 0.0.0.0/32
      • 127.0.0.0/8 (loopback)
      • 128.0.0.0/16 (martian)
      • 191.255.0.0/16 (martian)
      • 192.0.0.0/24 (martian)
      • 223.255.255.0/24 (martian)
      • 224.0.0.0/4 (multicast)
      • 240.0.0.0/4 (reserved)
      • 255.255.255.255 (broadcast)
    • You can specify one or more IPv4 address prefixes in the pool statement and in the from clause of the NAT rule term. This enables you to configure source translation from a private subnet to a public subnet without defining a rule term for each address in the subnet. Destination translation cannot be configured by this method. For more information, see Examples: Configuring NAT Rules.
    • When you configure static source NAT, the address prefix size you configure at the [edit services nat pool pool-name] hierarchy level must be larger than the source-address prefix range configured at the [edit services nat rule rule-name term term-name from] hierarchy level. The source-address prefix range must also map to a single subnet or range of IPv4 or IPv6 addresses in the pool statement. Any pool addresses that are not used by the source-address prefix range are left unused. Pools cannot be shared.

    Note: When you include a NAT configuration that changes IP addresses, it might affect forwarding path features elsewhere in your router configuration, such as source class usage (SCU), destination class usage (DCU), filter-based forwarding, or other features that target specific IP addresses or prefixes.

    NAT configuration might also affect routing protocol operation, because the protocol peering, neighbor, and interface addresses can be altered when routing protocols packets transit the Adaptive Services (AS) or Multiservices PIC.

    Configuring Pools of Addresses and Ports for Network Address Translation Overview

    Configuring NAT Pools

    You can use the pool statement to define the addresses (or prefixes), address ranges, and ports used for Network Address Translation (NAT). To configure the information, include the pool statement at the [edit services nat] hierarchy level:

    [edit services nat]
    pool nat-pool-name {address ip-prefix</prefix-length>;address-range low minimum-value high maximum-value;port (automatic | range low minimum-value high maximum-value); preserve-parity;preserve-range {}}

    To configure pools for traditional NAT, specify either a destination pool or a source pool.

    With static source NAT and dynamic source NAT, you can specify multiple IPv4 addresses (or prefixes) and IPv4 address ranges. Up to 32 prefixes or address ranges (or a combination) can be supported within a single pool.

    With static destination NAT, you can also specify multiple address prefixes and address ranges in a single term. Multiple destination NAT terms can share a destination NAT pool. However, the netmask or range for the from address must be smaller than or equal to the netmask or range for the destination pool address. If you define the pool to be larger than required, some addresses will not be used. For example, if you define the pool size as 100 addresses and the rule specifies only 80 addresses, the last 20 addresses in the pool are not used.

    For constraints on specific translation types, see Network Address Translation Rules Overview.

    With source static NAT, the prefixes and address ranges cannot overlap between separate pools.

    In an address range, the low value must be a lower number than the high value. When multiple address ranges and prefixes are configured, the prefixes are depleted first, followed by the address ranges.

    When you specify a port for dynamic source NAT, address ranges are limited to a maximum of 65,000 addresses, for a total of (65,000 x 65,535) or 4,259,775,000 flows. A dynamic NAT pool with no address port translation supports up to 65,535 addresses. There is no limit on the pool size for static source NAT.

    Preserve Range and Preserve Parity

    You can configure your carrier-grade NAT (CGN) to preserve the range or parity of the packet source port when it allocates a source port for an outbound connection. You can configure the preserve parity and preserve range options under the NAT pool definition by including the preserve-range and preserve-parity configuration statements at the [edit services nat pool poolname port] hierarchy level.

    • Preserve range—RFC 4787, Network Address Translation (NAT) Behavioral Requirements for Unicast UDP, defines two ranges: 0 through 1023, and 1024 through 65,535. When the preserve-range knob is configured and the incoming port falls into one of these ranges, CGN allocates a port from that range only. However, if there is no available port in the range, the port allocation request fails and that session is not created. The failure is reflected on counters and system logging, but no Internet Control Message Protocol (ICMP) message is generated. If this knob is not configured, allocation is based on the configured port range without regard to the port range that contains the incoming port. The exception is some application-level gateways (ALGs), such as hello, that have special zones.
    • Preserve parity—When the preserve-parity knob is configured, CGN allocates a port with the same even or odd parity as the incoming port. If the incoming port number is odd or even, the outgoing port number should correspondingly be odd or even. If a port number of the desired parity is not available, the port allocation request fails, the session is not created, and the packet is dropped.

    Specifying Destination and Source Prefixes without Configuring a Pool

    You can directly specify the destination or source prefix used in NAT without configuring a pool.

    To configure the information, include the rule statement at the [edit services nat] hierarchy level:

    [edit services nat]
    rule rule-name {term term-name {then {translated {destination-prefix prefix;}}}}

    Configuring Address Pools for Network Address Port Translation (NAPT) Overview

    With Network Address Port Translation (NAPT), you can configure up to 32 address ranges with up to 65,536 addresses each.

    The port statement specifies port assignment for the translated addresses. To configure automatic assignment of ports, include the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level. To configure a specific range of port numbers, include the port range low minimum-value high maximum-value statement at the [edit services nat pool nat-pool-name] hierarchy level.

    The Junos OS provides several alternatives for allocating ports:

    Round-Robin Allocation for NAPT

    To configure round-robin allocation for NAT pools, include the address-allocation round-robin configuration statement at the [edit services nat pool pool-name] hierarchy level. When you use round-robin allocation, one port is allocated from each address in a range before repeating the process for each address in the next range. After ports have been allocated for all addresses in the last range, the allocation process wraps around and allocates the next unused port for addresses in the first range.

    • The first connection is allocated to the address:port 100.0.0.1:3333.
    • The second connection is allocated to the address:port 100.0.0.2:3333.
    • The third connection is allocated to the address:port 100.0.0.3:3333.
    • The fourth connection is allocated to the address:port 100.0.0.4:3333.
    • The fifth connection is allocated to the address:port 100.0.0.5:3333.
    • The sixth connection is allocated to the address:port 100.0.0.6:3333.
    • The seventh connection is allocated to the address:port 100.0.0.7:3333.
    • The eighth connection is allocated to the address:port 100.0.0.8:3333.
    • The ninth connection is allocated to the address:port 100.0.0.9:3333.
    • The tenth connection is allocated to the address:port 100.0.0.10:3333.
    • The eleventh connection is allocated to the address:port 100.0.0.11:3333.
    • The twelfth connection is allocated to the address:port 100.0.0.12:3333.
    • Wraparound occurs and the thirteenth connection is allocated to the address:port 100.0.0.1:3334.

    Sequential Allocation for NAPT

    With sequential allocation, the next available address in the NAT pool is selected only when all the ports available from an address are exhausted.

    Note: This legacy implementation provides backward compatibility and is no longer a recommended approach..

    The NAT pool called napt in the following configuration example uses the sequential implementation:

    pool napt {address-range low 100.0.0.1 high 100.0.0.3;address-range low 100.0.0.4 high 100.0.0.6;address-range low 100.0.0.8 high 100.0.0.10;address-range low 100.0.0.12 high 100.0.0.13;port {range low 3333 high 3334;}}

    In this example, the ports are allocated starting from the first address in the first address-range, and allocation continues from this address until all available ports have been used. When all available ports have been used, the next address (in the same address-range or in the following address-range) is allocated and all its ports are selected as needed. In the case of the example napt pool, the tuple address, port 100.0.0.4:3333, is allocated only when all ports for all the addresses in the first range have been used.

    • The first connection is allocated to the address:port 100.0.0.1:3333.
    • The second connection is allocated to the address:port 100.0.0.1:3334.
    • The third connection is allocated to the address:port 100.0.0.2:3333.
    • The fourth connection is allocated to the address:port 100.0.0.2:3334, and so on.

    Preserve Parity and Preserve Range for NAPT

    The following options are available for NAPT:

    • Preserving parity—Use the preserve-parity command to allocate even ports for packets with even source ports and odd ports for packets with odd source ports.
    • Preserving range—Use the preserve-range command to allocate ports within a range from 0 to 1023, assuming the original packet contains a source port in the reserved range. This applies to control sessions, not data sessions.

    Address Pooling and Endpoint Independent Mapping for NAPT

    Address Pooling and Endpoint Independent Mapping for NAPT

    Address Pooling

    Address pooling, or address pooling paired (APP) ensures assignment of the same external IP address for all sessions originating from the same internal host. You can use this feature when assigning external IP addresses from a pool. This option does not affect port utilization

    Address pooling solves the problems of an application opening multiple connections. For example, when Session Initiation Protocol (SIP) client sends Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) packets, the SIP generally server requires that they come from the same IP address, even if they have been subject to NAT. If RTP and RTCP IP addresses are different, the receiving endpoint might drop packets. Any point-to-point (P2P) protocol that negotiates ports (assuming address stability) benefits from address pooling paired.

    The following are use cases for address pooling.

    • A site that offers instant messaging services requires that chat and their control sessions come from the same public source address. When the user signs on to chat, a control session authenticates the user. A different session begins when the user starts a chat session. If the chat session originates from a source address that is different from the authentication session, the instant messaging server rejects the chat session, because it originates from an unauthorized address.
    • Certain websites such as online banking sites require that all connections from a given host come from the same IP address.
    Endpoint Independent Mapping and Endpoint Independent Filtering

    Endpoint independent mapping (EIM) ensures the assignment of the same external address and port for all connections from a given host if they use the same internal port. This means if they come from a different source port, you are free to assign a different external address.

    EIM and APP differ as follows:

    • APP ensures assigning the same external IP address.
    • EIM provides a stable external IP address and port (for a period of time) to which external hosts can connect. Endpoint independent filtering (EIF) controls which external hosts can connect to an internal host.

    Carriers track subscribers using the IP address (RADIUS or DHCP) log. If they use NAPT, an IP address is shared by multiple subscribers, and the carrier must track the IP address and port, which are part of the NAT log. Because ports are used and reused at a very high rate, tracking subscribers using the log becomes difficult due to the large number of messages, which are difficult to archive and correlate. By enabling the allocation of ports in blocks, port block allocation can significantly reduce the number of logs, making it easier to track subscribers.

    Port block allocation is supported on MX series routers wiith MultiServices Dense Port Concentrators (MS-DPCs).

    Secured Port Block Allocation for NAPT

    When allocating blocks of ports, the most recently allocated block is the current active block. New requests for NAT ports are served from the active block. Ports are allocated randomly from the current active block.

    When you configure secured port block allocation, you can specify the following:

    • block-size
    • max-blocks-per-address
    • active-block-timeout

    Deterministic Port Block Allocation for NAPT

    You can configure NAT algorithm-based allocation of blocks of destination ports. By specifying deterministic-port-block-allocation blocksize blocksize at the [edit services nat pool poolname port] hierarchy level, you ensure that an incoming (source) IP address and port always map to the same destination IP address and port, thus eliminating the need for the address translation logging. You can also specify include-boundary-addresses if you want the lowest and highest addresses in the source address range of a NAT rule to be translated when the NAT pool is used. When you use deterministic port block allocation, you must specify deterministic-nat44 as the translation-type in your NAT rule.

    For detailed information on how to configure deterministic port block allocation, see Configuring Deterministic Port Block Allocation.

    Understanding Deterministic Port Block Allocation Algorithms

    The effectiveness of your implementation of deterministic port block allocation depends on your analysis of your subscriber requirements. The block size you provide indicates how many ports will be made available for each incoming subscriber address in the range the from clause specified in the applicable NAT rule. The allocation algorithm computes an offset value to determine the outgoing port. A reverse algorithm is used to derive the originating subscriber address.

    Note: In order to track subscribers without using logs, an ISP must use a reverse algorithm to derive a subscriber (source) addresses from translated addresses.

    Deterministic Port Block Allocation Algorithm Usage

    When you have configured deterministic port block allocation, you can use the show services nat deterministic-nat internal-host and show services nat deterministic-nat nat-port-block commands to show forward and reverse mapping. However, mappings will change if you reconfigure your deterministic port block allocation block size or the from clause for your NAT rule. In order to provide historical information on mappings, we recommend that you write scripts that can show specific mappings for prior configurations.

    The following variables are used in forward calculation (private subscriber IP address to public IP address) and reverse calculation (public IP address to private subscriber IP address):

    • Pr_Prefix—Any pre-NAT IPv4 subscriber address
    • Pr_Port—Any pre-NAT protocol port
    • Block_Size—Number of ports configured to be available for each Pr_Prefix
    • Base_PR_Prefix—First usable pre-NAT IPv4 subscriber address in a “from” clause match condition
    • Base_PU_Prefix—First usable post-NAT IPv4 subscriber address configured in the NAT pool.
    • Pu_Port_Range_Start—1024 (ports 0 through 1023 are not used when port automatic is configured)
    • Pr_Offset—Pr_Prefix – Base_Pr_Prefix
    • PR_Port_Offset—Pr_Offset * Block_Size
    • Pu_Prefix—Post-NAT address for a given Pr_Prefix
    • Pu_Start_Port—Post-NAT start port for a flow from a given Pr_Prefix
    • Pu_Actual_Port—Post-NAT port seen on a reverse flow
    • Nr_Addr_PR_Prefix — Number of usable pre-NAT IPv4 subscriber addresses in a “from” clause match condition
    • Nr_Addr_PU_Prefix — Number of usable post-NAT IPv4 addresses configured in the NAT pool
    • Rounded_Port_Range_Per_IP — ceil[(Nr_Addr_PR_Prefix/Nr_Addr_PU_Prefix)] * Block_Size
    • Pu_Offset—Pu_Prefix – Base_Pu_Prefix
    • Pu_Port_Offset—(Pu_Offset * Port_Range_Per_Pu_IP) + (Pu_Actual_Port – Pu_Port_Start_Port)

    Note: If block-size is configured as zero, the method for computing the block size has changed and is computed as follows:

    block-size = int(64512/ceil[(Nr_Addr_PR_Prefix/Nr_Addr_PU_Prefix)])

    where 64512 is the maximum available port range per public IP address.

    Algorithm Usage–Assume the following configuration:

    services {nat {pool src-pool {address-range low 32.32.32.1 high 32.32.32.254;port {automatic {random-allocation;}deterministic-block-allocation {block-size 249;}}}
    rule det-nat {match-direction input;term t1 {from {source-address {10.1.0.0/16;}}then {translated {source-pool src-pool;translation-type {deterministic-napt44;}}}}

    Forward Translation

    1. Pr_Offset = Pr_Prefix – Base_Pr_Prefix
    2. Pr_Port_Offset = Pr_Offset * Block_Size
    3. Rounded_Port_Range_Per_IP = ceil[(Nr_Addr_PR_Prefix/Nr_Addr_PU_Prefix)] * Block_Size
    4. Pu_Prefix = Base_Public_Prefix + floor(Pr_Port_Offset / Rounded_Port_Range_Per_IP)
    5. Pu_Start_Port = Pu_Port_Range_Start + (Pr_Port_Offset % Rounded_Port_Range_Per_IP)

    Using the sample configuration and assuming a subscriber flow sourced from 10.1.1.250:5000:

    1. Pr_Offset = 10.1.1.250 – 10.1.0.1 = 505
    2. Pu_Port_Offset = 505 * 249 = 125,745
    3. Rounded_Port_Range_Per_IP = ceil[(65, 533/254)] * 249 = 259 * 249 = 64,491
    4. Pu_Prefix = 32.32.32.1 + floor(125,745 /64,491) = 32.32.32.1 +1 =32.32.32.2
    5. Pu_Start_Port = 1,024 + (125,745 % 64,491) = 62278
      • 10.1.1.250 is translated to 32.32.32.2.
      • The starting port is 62278. There are 249 ports available to the subscriber based on the configured block size. The available port range spans ports 62278 through 62526 (inclusive).
      • The specific flow 10.1.1.250:5000 randomly assigns any of the ports in its range because random allocation was specified.

    Reverse Translation

    1. Pu_Offset = Pu_Prefix – Base_Pu_Prefix
    2. Pu_Port_Offset = (Pu_Offset * Rounded_Port_Range_Per_IP) + (Pu_Actual_Port – Pu_Port_Range_Start)
    3. Subscriber_IP = Base_Pr_Prefix + floor(Pu_Port_Offset / Block_Size)

    The reverse translation is determined as follows. Assume a flow returning to 32.32.32.2:62278.

    1. Pu_Offset = 32.32.32.2 – 32.32.32.1 = 1
    2. Pu_Port_Offset = (1 * 64,491) + (62,280 - 1024) = 125,747
    3. Subscriber_IP = 10.1.0.1 + floor(125,747 / 249) = 10.1.0.1 + 505 = 10.1.1.250

      Note: In reverse translation, only the original private IP address can be derived, and not the original port in use. This is sufficiently granular for law enforcement requirements.

    Deterministic Port Block Allocation Restrictions

    When you configure deterministic port block allocation, you must be aware of the following restrictions. Violation of any restriction results in a commit error. The restrictions and their error messages are shown in Table 1

    Table 1: Deterministic Port Block Allocation Commit Constraints

    Restriction

    Error Message

    The total number of deterministic NAT blocks must be greater than or equal to the 'from' clause addresses configured. This means that the Rounded_Port_Range_Per_IP value must be less than or equal to 64,512.

    Number of addresses and port blocks combination in the NAT pool is less than number of addresses in 'from' clause

    IPv6 addresses should not be used in deterministic NAT pool/from clause.

    Invalid IP address in pool p1 with translation type deterministic-napt44

    OR

    There is already a range configured with v4 address range

    The from clause addresses should be same if the same deterministic NAT pool is used across multiple terms/rules. Only one from clause address/range should be specified if the same deterministic NAT pool is used across multiple terms/rules.

    With translation-type deterministic-napt44, same 'from' address/range should be configured if pool is shared by multiple rules or terms

    There shouldn't be address overlap between except entries in the from clause addresses.

    overlapping address, in the 'from' clause between 'except' entries

    A deterministic NAT pool cannot be used with other translation-types

    Deterministic NAT pool cannot be used with other translation-types

    Deterministic NAPT44 must use a source pool with deterministic-port-block-allocation configuration

    Deterministic NAPT44 must use a source pool with deterministic-port-block-allocation configuration

    If address-allocation round-robin is configured, a commit results in display of a warning indicating that this technique is not needed with translation-type deterministic-napt44 and is ignored.

    Address allocation round-robin is not needed with translation-type deterministic-napt44

    The total number of IP addresses assigned to a deterministic NAT pool should be less than or equal to 224 (16777216).

    Number of addresses in pool with deterministic-napt44 translation are limited to at most 16777216(2^24)

    Comparision of NAPT Implementation Methods

    Table 2 provides a feature comparison of available NAPT implementation methods.

    Table 2: Comparison of NAPT Implementation Methods

    Feature/Function

    Dynamic Port Allocation

    Secured Port Block Allocation

    Deterministic Port Block Allocation

    Users per IP

    High

    Medium

    Low

    Security Risk

    Low

    Medium

    Medium

    Log Utilization

    High

    Low

    None (no logs necessary)

    Security Risk Reduction

    Random allocation

    active-block-timeout feature

    n/a

    Increasing Users per IP

    n/a

    Configure multiples of smaller port blocks to maximize users/ public IP

    Algorithm-based port allocation

    Network Address Translation Rules Overview

    To configure a NAT rule, include the rule rule-name statement at the [edit services nat] hierarchy level:

    [edit services nat]
    rule (Services NAT) rule-name {match-direction (Services NAT) (input | output);term (Services NAT) term-name {from (Services NAT) {application-sets (Services NAT) set-name;applications (Services NAT) [ application-names ];destination-address (Services NAT) (address | any-unicast) <except>;destination-address-range (Services NAT) low minimum-value high maximum-value <except>;destination-prefix-list (Services NAT) list-name <except>;source-address (address | any-unicast) <except>;source-address-range (Services NAT) low minimum-value high maximum-value <except>;source-prefix-list (Services Stateful Firewall) list-name <except>;}then (Services NAT) {no-translation;translated {address-pooling paired;destination-pool nat-pool-name;destination-prefix (Services NAT) destination-prefix;dns-alg-pool dns-alg-pool;dns-alg-prefix dns-alg-prefix;filtering-type endpoint-independent;mapping-type endpoint-independent;overload-pool overload-pool-name;overload-prefix overload-prefix;source-pool nat-pool-name;source-prefix (Services NAT) source-prefix;translation-type {(basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44);}}syslog (Services NAT);}}}

    Each rule must include a match-direction statement that specifies the direction in which the match is applied.

    In addition, each NAT rule consists of a set of terms, similar to a firewall filter. A term consists of the following:

    • from statement—Specifies the match conditions and applications that are included and excluded.
    • then statement—Specifies the actions and action modifiers to be performed by the router software.

    The following sections explain how the components of NAT rules:

    Configuring Match Direction for NAT Rules

    Each rule must include a match-direction statement that specifies the direction in which the match is applied. To configure where the match is applied, include the match-direction statement at the [edit services nat rule rule-name] hierarchy level:

    [edit services nat rule rule-name]match-direction (input | output);

    The match direction is used with respect to the traffic flow through the Multiservices DPC and Multiservices PICs. When a packet is sent to the PIC, direction information is carried along with it. The packet direction is determined based on the following criteria:

    • With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied.
    • With a next-hop service set, packet direction is determined by the interface used to route the packet to the Multiservices DPC or Multiservices PIC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC or DPC, the packet direction is output. For more information about inside and outside interfaces, see “Configuring Service Sets to be Applied to Services Interfaces.”
    • On the Multiservices DPC and Multiservices PIC, a flow lookup is performed. If no flow is found, rule processing is performed. All rules in the service set are considered. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that matches the packet direction are considered.

    Configuring Match Conditions in NAT Rules

    To configure NAT match conditions, include the from statement at the [edit services nat rule rule-name term term-name] hierarchy level:

    [edit services nat rule rule-name term term-name]
    from {application-sets set-name;applications [ application-names ];destination-address (address | any-unicast) <except>;destination-address-range low minimum-value high maximum-value <except>;destination-prefix-list list-name <except>;source-address (address | any-unicast) <except>;source-address-range low minimum-value high maximum-value <except>;source-prefix-list list-name <except>;}

    To configure traditional NAT, you can use the destination address, a range of destination addresses, the source address, or a range of source addresses as a match condition, in the same way that you would configure a firewall filter; for more information, see the Routing Policies, Firewall Filters, and Traffic Policers Feature Guide for Routing Devices.

    Alternatively, you can specify a list of source or destination prefixes by including the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or source-prefix-list statement in the NAT rule. For an example, see “Examples: Configuring Stateful Firewall Rules.”

    Configuring Actions in NAT Rules

    To configure NAT actions, include the then statement at the [edit services nat rule rule-name term term-name] hierarchy level:

    [edit services nat rule rule-name term term-name]
    then {no-translation;syslog;translated {destination-pool nat-pool-name;destination-prefix destination-prefix;source-pool nat-pool-name;source-prefix source-prefix;translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44);}}}

    The no-translation statement allows you to specify addresses that you want excluded from NAT.

    The system log statement enables you to record an alert in the system logging facility.

    The destination-pool, destination-prefix, source-pool, and source-prefix statements specify addressing information that you define by including the pool statement at the [edit services nat] hierarchy level.

    Configuring Translation Types

    The translation-type statement specifies the type of NAT used for source or destination traffic. The options are basic-nat-pt, basic-nat44, basic-nat66, dnat-44, dynamic-nat44, napt-44, napt-66, napt-pt, stateful-nat64, twice-basic-nat-44, twice-dynamic-nat-44, and twice-napt-44.

    The implementation details of the nine options of the translation-type statement are as follows:

    • basic-nat44—This option implements the static translation of source IP addresses without port mapping. You must configure the from source-address statement in the match condition for the rule. The size of the address range specified in the statement must be the same as or smaller than the source pool. You must specify either a source pool or a destination prefix. The referenced pool can contain multiple addresses but you cannot specify ports for translation.

      Note: In an interface service set, all packets destined for the source address specified in the match condition are automatically routed to the services PIC, even if no service set is associated with the interface.

      Note: Prior to Junos OS Release 11.4R3, you could only use a source NAT pool in a single service set. As of Junos OS Release 11.4R3 and subsequent releases, you can reuse a source NAT pool in multiple service sets.

    • basic-nat66—This option implements the static translation of source IP addresses without port mapping in IPv6 networks. The configuration is similar to the basic-nat44 implementation, but with IPv6 addresses.
    • basic-nat-pt—This option implements translation of addresses of IPv6 hosts, as they originate sessions to the IPv4 hosts in an external domain and vice versa. This option is always implemented with DNS ALG. You must define the source and destination pools of IPv4 addresses. You must configure one rule and define two terms. Configure the IPv6 addresses in the from statement in both term statements. In the then statement of the first term within the rule, reference both the source and destination pools and configure dns-alg-prefix. Configure the source prefix in the then statement of the second term within the same rule.
    • dnat-44—This option implements static translation of destination IP addresses without port mapping. The size of the pool address space must be greater than or equal to the destination address space. You must specify a name for the destination pool statement. The referenced pool can contain multiple addresses, ranges, or prefixes, as long as the number of NAT addresses in the pool is larger than the number of destination addresses in the from statement. You must include exactly one destination-address value at the [edit services nat rule rule-name term term-name from] hierarchy level; if it is a prefix, the size must be less than or equal to the pool prefix size. Any addresses in the pool that are not matched in the yvalue remain unused, because a pool cannot be shared among multiple terms or rules.
    • dynamic-nat44—This option implements dynamic translation of source IP addresses without port mapping. You must specify a source-pool. The referenced pool must include an address configuration (for address-only translation).

      The dynamic-nat44 address-only option supports translating up to 16,777,216 addresses to a smaller size pool. The requests from the source address range are assigned to the addresses in the pool until the pool is used up, and any additional requests are rejected. A NAT address assigned to a host is used for all concurrent sessions from that host. The address is released to the pool only after all the sessions for that host expire. This feature enables the router to share a few public IP addresses between several private hosts. Because all the private hosts might not simultaneously create sessions, they can share a few public IP addresses.

    • napt-44—This option implements dynamic translation of source IP addresses with port mapping. You must specify a name for the source-pool statement. The referenced pool must include a port configuration. If the port is configured as automatic or a port range is specified, then it implies that Network Address Port Translation (NAPT) is used.
    • napt-66—This option implements dynamic address translation of source IP addresses with port mapping for IPv6 addresses. The configuration is similar to the napt-44 implementation, but with IPv6 addresses.
    • napt-pt—This option implements dynamic address and port translation for source and static translation of destination IP address. You must specify a name for the source-pool statement. The referenced pool must include a port configuration (for NAPT). Additionally, you must configure two rules, one for the DNS traffic and the other for the rest of the traffic. The rule meant for the DNS traffic should be DNS ALG enabled and the dns-alg-prefix statement should be configured. Moreover, the prefix configured in the dns-alg-prefix statement must be used in the second rule to translate the destination IPv6 addresses to IPv4 addresses.
    • stateful-nat64—This option implements dynamic address and port translation for source IP addresses and prefix removal translation for destination IP addresses. You must specify the IPv4 addresses used for translation at the [edit services nat pool] hierarchy level. This pool must be referenced in the rule that translates the IPv6 addresses to IPv4.
    • twice-basic-nat-44—This option implements static source and static destination translation for IPv4 addresses, thus combining basic-nat44 for source and dnat-44 for destination addresses.
    • twice-dynamic-nat-44—This option implements source dynamic and destination static translation for IPv4 addresses, combining dynamic-nat44 for source and dnat-44 for destination addresses.
    • twice-napt-44—This option implements source NAPT and destination static translation for IPv4 addresses, combining napt-44 for source and dnat-44 for destination addresses.

    Note: When configuring NAT, if any traffic is destined for the following addresses and does not match a NAT flow or NAT rule, the traffic is dropped:

    • Addresses specified in the from destination-address statement when you are using destination translation
    • Addresses specified in the source NAT pool when you are using source translation

    For more information on NAT methods, see RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations.

    Configuring Service Sets for Network Address Translation

    When configuring a service set for NAT processing, make sure you have defined:

    • Service interface(s) for handling inbound and outbound traffic

      Note: Prior to Junos OS Release 11.4R3, you could only use a source NAT pool in a single service set. As of Junos OS Release 11.4R3 and subsequent releases, you can reuse a source or destination NAT pool in multiple service sets, provided that the service interfaces associated with the service sets are in different virtual routing and forwarding (VRF) instances.

      • For interface style service sets, when a NAT pool is reused in multiple service sets, the service interfaces used in the interface-service service-interface option of each service set must be in different VRFs.
      • For next-hop style service sets, when a NAT pool is reused in multiple service sets, the service interfaces used in the outside-interface option of each service set must be in different VRFs.

        Not adhering to these service interface restrictions will cause multiple routes to be installed in the same VRF for the same NAT addresses, causing reverse traffic to be processed incorrectly.

      To enable sharing of source NAT pools, include the allow-overlapping-nat-pools statement at the [edit services nat] hierarchy level.

    • A NAT rule or ruleset

    Note: To configure an MX-DPC interface to be used exclusively for carrier-grade NAT (CGN) or related services (intrusion detection, stateful firewall, and softwire), include the cgn-pic statement at the [edit interfaces interface-name services-options] hierarchy level.

    To configure a NAT service set:

    1. At the [edit services] hierarchy level, define the service set.
      [edit services]user@host# edit service-set service-set-name
    2. Configure either an interface service, which requires a single service interface, or a next-hop service, which requires an inside and outside service interface.
      [edit services service-set service-set-name]user@host# set interface-service service-interface interface-name

      Or

      [edit services service-set service-set-name]user@host# set next-hop-service inside-service-interface interface-name outside-service-interface interface-name

      Note: If you have a Trio-based line card (MPC/MIC), you can use an inline-services interface that was configured on that card, as shown in this example:

      [edit]user@host# set interfaces si-0/0/0 [edit services service-set s1]user@host# set interface-service service-interface si-0/0/0

      For more information on interface service and next-hop service, see “Configuring Service Sets to be Applied to Services Interfaces.”

    3. Configure a reference to the NAT rules or ruleset to be used with the service set.
      [edit services service-set service-set-name]user@host set nat-rules rule-or-ruleset-name
    4. (Optional) For NAT64, specify that the don’t fragment (DF) bit for IPv4 packet headers is cleared when packet length is less than 1280 bytes.
      [edit services service-set service-set-name]user@host# set nat-options stateful-nat64 clear-dont-fragment-bit

    Modified: 2015-09-15