Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Deterministic NAT

 

Deterministic NAPT Overview

You can configure deterministic NAPT44 to ensure that the original source IPv4 address and port always map to the same post-NAT IPv4 address and port range, and that the reverse mapping of a given translated external IPv4 address and port are always mapped to the same internal IPv4 address. You can configure deterministic NAPT64 to ensure that the original source IPv6 address and port always map to the same post-NAT IPv4 address and port range, and that the reverse mapping of a given translated external IPv4 address and port are always mapped to the same internal IPv6 address. Deterministic NAPT uses an algorithm-based allocation of blocks of destination ports.

Deterministic NAPT44 is supported on MX series routers with MS-DPCs and on M Series routers with MS-100, MS-400, and MS-500 MultiServices PICS. Deterministic NAPT 44 is supported for MS-MPCs and MS-MICs starting in Junos OS release 17.3R1, in Junos OS release 14.2R7 and later 14.2 releases, and in Junos OS release 15.1R3 and later 15.1 releases. Starting in Junos OS Release 17.4R1, deterministic NAPT64 is supported on the MS-MPC and MS-MIC.

If the source address in the from clause of a deterministic NAPT rule does not have a prefix of /32, the network and broadcast addresses in the source address range are not translated unless you configure include-boundary-addresses.

For detailed information on how to configure deterministic NAPT, see Configuring Deterministic NAPT.

Benefits of Deterministic NAPT

  • Eliminates the need for address translation logging because an IP address is always mapped to the same external IP address and port range, and the reverse mapping of a given translated external IP address and port are always mapped to the same internal IP address.

Understanding Deterministic NAPT Algorithms

The effectiveness of your implementation of deterministic NAPT depends on your analysis of your subscriber requirements. The block size you provide indicates how many ports will be made available for each incoming subscriber address from the range in the from clause specified in the applicable NAT rule. The allocation algorithm computes an offset value to determine the outgoing IP address and port. A reverse algorithm is used to derive the originating subscriber address.

Note

In order to track subscribers without using logs, an ISP must use a reverse algorithm to derive a subscriber (source) addresses from a translated address.

The following variables are used in forward calculation (private subscriber IP address to public IP address) and reverse calculation (public IP address to private subscriber IP address):

  • Pr_Prefix—Any pre-NAT IPv4 subscriber address.

  • Pr_Port—Any pre-NAT protocol port.

  • Block_Size—Number of ports configured to be available for each Pr_Prefix.

    If block-size is configured as zero, the method for computing the block size is computed as follows:

    block-size = int(64512/ceil[(Nr_Addr_PR_Prefix/Nr_Addr_PU_Prefix)])

    where 64512 is the maximum available port range per public IP address.

  • Base_PR_Prefix—First usable pre-NAT IPv4 subscriber address in a from clause of the NAT rule.

  • Base_PU_Prefix—First usable post-NAT IPv4 subscriber address configured in the NAT pool.

  • Pu_Port_Range_Start—First usable post-NAT port. This is 1024.

  • Pr_Offset—The offset of the pre-NAT IP address that is being translated from the first usable pre-NAT IPv4 subscriber address in a from clause of the NAT rule. PR_Offset = Pr_Prefix – Base_Pr_Prefix.

  • PR_Port_Offset—Offset of the pre-NAT IP address multiplied by the block size. PR_Port_Offset = Pr_Offset * Block_Size.

  • Pu_Prefix—Post-NAT address for a given Pr_Prefix.

  • Pu_Start_Port—Post-NAT start port for a flow from a given Pr_Prefix

  • Pu_Actual_Port—Post-NAT port seen on a reverse flow.

  • Nr_Addr_PR_Prefix — Number of usable pre-NAT IPv4 subscriber addresses in a from clause clause of the NAT rule.

  • Nr_Addr_PU_Prefix — Number of usable post-NAT IPv4 addresses configured in the NAT pool.

  • Rounded_Port_Range_Per_IP — Number of ports available for each post-NAT IP address. Rounded_Port_Range_Per_IP = ceil[(Nr_Addr_PR_Prefix/Nr_Addr_PU_Prefix)] * Block_Size.

  • Pu_Offset—Offset of the post-NAT IP address from the first usable post-NAT address. Pu_Offset = Pu_Prefix – Base_Pu_Prefix.

  • Pu_Port_Offset— Offset of the post-NAT port from 1024 added to the product of the offset of the post-NAT IP address and the number of ports available for each post-NAT IP address. Pu_Port_Offset = (Pu_Offset * Rounded_Port_Range_Per_IP) + (Pu_Actual_Port – Pu_Port_Range_Start).

Algorithm Usage–Assume the following configuration:

Forward Translation

  1. Pr_Offset = Pr_Prefix – Base_Pr_Prefix
  2. Pr_Port_Offset = Pr_Offset * Block_Size
  3. Rounded_Port_Range_Per_IP = ceil[(Nr_Addr_PR_Prefix/Nr_Addr_PU_Prefix)] * Block_Size
  4. Pu_Prefix = Base_Public_Prefix + floor(Pr_Port_Offset / Rounded_Port_Range_Per_IP)
  5. Pu_Start_Port = Pu_Port_Range_Start + (Pr_Port_Offset % Rounded_Port_Range_Per_IP)

Using the sample configuration and assuming a subscriber flow sourced from 10.1.1.250:5000:

  1. Pr_Offset = 10.1.1.250 – 10.1.0.1 = 505
  2. Pr_Port_Offset = 505 * 249 = 125,745
  3. Rounded_Port_Range_Per_IP = ceil[(65, 533/254)] * 249 = 259 * 249 = 64,491
  4. Pu_Prefix = 32.32.32.1 + floor(125,745 /64,491) = 32.32.32.1 +1 =32.32.32.2
  5. Pu_Start_Port = 1,024 + (125,745 % 64,491) = 62278
    • 10.1.1.250 is translated to 32.32.32.2.

    • The starting port is 62278. There are 249 ports available to the subscriber based on the configured block size. The available port range spans ports 62278 through 62526 (inclusive).

    • The specific flow 10.1.1.250:5000 randomly assigns any of the ports in its range because random allocation was specified.

Reverse Translation

  1. Pu_Offset = Pu_Prefix – Base_Pu_Prefix
  2. Pu_Port_Offset = (Pu_Offset * Rounded_Port_Range_Per_IP) + (Pu_Actual_Port – Pu_Port_Range_Start)
  3. Subscriber_IP = Base_Pr_Prefix + floor(Pu_Port_Offset / Block_Size)

The reverse translation is determined as follows. Assume a flow returning to 32.32.32.2:62278.

  1. Pu_Offset = 32.32.32.2 – 32.32.32.1 = 1
  2. Pu_Port_Offset = (1 * 64,491) + (62,280 - 1024) = 125,747
  3. Subscriber_IP = 10.1.0.1 + floor(125,747 / 249) = 10.1.0.1 + 505 = 10.1.1.250Note

    In reverse translation, only the original private IP address can be derived, and not the original port in use. This is sufficiently granular for law enforcement requirements.

When you have configured deterministic NAPT, you can use the show services nat deterministic-nat internal-host and show services nat deterministic-nat nat-port-block commands to show forward and reverse mapping. However, mappings will change if you reconfigure your deterministic port block allocation block size or the from clause for your NAT rule. In order to provide historical information on mappings, we recommend that you write scripts that can show specific mappings for prior configurations.

Deterministic NAPT Restrictions

When you configure deterministic NAPT, you must be aware of the following restrictions. Violation of any restriction results in a commit error. The restrictions and their error messages are shown in Table 1.

Table 1: Deterministic NAPT Commit Constraints

Restriction

Error Message

The total number of deterministic NAT blocks must be greater than or equal to the from clause addresses configured. This means that the Rounded_Port_Range_Per_IP value must be less than or equal to 64,512.

Number of addresses and port blocks combination in the NAT pool is less than number of addresses in 'from' clause

IPv6 addresses should not be used in deterministic NAT pool/from clause.

Invalid IP address in pool p1 with translation type deterministic-napt44

OR

There is already a range configured with v4 address range

The from clause addresses should be same if the same deterministic NAT pool is used across multiple terms/rules. Only one from clause address/range should be specified if the same deterministic NAT pool is used across multiple terms/rules.

With translation-type deterministic-napt44, same 'from' address/range should be configured if pool is shared by multiple rules or terms

The from clause must have at least one source address.

With translation-type deterministic-napt44, at least one non-except 'from' address/range should be configured. error: configuration check-out failed

There should not be address overlap between except entries in the from clause addresses.

overlapping address, in the 'from' clause between 'except' entries

Addresses in a NAT pool used for deterministic NAPT should not overlap with the addresses in any other NAT pool.

NAT pool det-nat-pool1 overlaps with det-nat-pool used by service set sset_det-nat error: configuration check-out failed

A deterministic NAT pool cannot be used with other translation types. In addition, a deterministic NAT pool cannot be used in both deterministic NAPT44 and deterministic NAPT64 NAT rules.

Deterministic NAT pool cannot be used with other translation-types

Deterministic NAPT44 must use a source pool with deterministic-port-block-allocation configuration.

Deterministic NAPT44 must use a source pool with deterministic-port-block-allocation configuration

If address-allocation round-robin is configured, a commit results in display of a warning indicating that this technique is not needed with translation-type deterministic-napt44 and is ignored.

Address allocation round-robin is not needed with translation-type deterministic-napt44

The total number of IP addresses assigned to a deterministic NAT pool should be less than or equal to 224 (16777216).

Number of addresses in pool with deterministic-napt44 translation are limited to at most 16777216(2^24)

Configuring Deterministic NAPT

Deterministic NAPT44 is supported on MX series routers with MS-DPCs and on M Series routers with MS-100, MS-400, and MS-500 MultiServices PICS. Deterministic NAPT44 is supported for MS-MPCs and MS-MICs starting in Junos OS release 17.3R1, in Junos OS release 14.2R7 and later 14.2 releases, and in Junos OS release 15.1R3 and later 15.1 releases. Starting in Junos OS Release 17.4R1, deterministic NAPT64 is supported on the MS-MPC and MS-MIC.

To configure deterministic NAPT, perform the following:

Configuring the NAT Pool for Deterministic NAPT

To configure the NAT pool for deterministic NAPT:

  1. At the [edit services nat pool poolname] hierarchy level, create a pool.
  2. Define the range of addresses to be translated, specifying the upper and lower limits of the range or an address prefix that describes the range.

    Or

  3. To configure automatic port assignment, specify either sequential or random allocation.
    Note

    Starting in Junos OS Release 14.2R1, the sequential option is introduced to enable you to configure sequential allocation of ports. The sequential and random-allocation options available with the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level are mutually exclusive. You can include the sequential option for sequential allocation and the random-allocation option for random delegation of ports. By default, sequential allocation of ports takes place if you include only the port automatic statement at the [edit services nat pool nat-pool- name] hierarchy level.

    For releases earlier than Junos OS Release 14.2R1, configure automatic sequential port assignment by using the auto option at the [edit services nat pool nat-pool-name port automatic] hierarchy level.

  4. To configure a range of ports to assign, specify the low and high values for the port. If you do not configure automatic port assignment, you must configure a range of ports.Note

    If you specify a range of ports to assign, the automatic statement is ignored.

  5. Configure deterministic port block allocation. Specify block-size or accept the default value of 512.

    You can also specify include-boundary-addresses if you want the lowest and highest addresses (the network and broadcast addresses) in the source address range of a NAT rule to be translated when the NAT pool is used. If the source address has a prefix of /32, the lowest and highest address are automatically translated.

    For example:

    Note

    In order for deterministic-port-block-allocation configuration changes to take effect, you must reboot the services PIC whenever you change any of the following nat pool options:

    • address or address-range

    • port range

    • port deterministic-port-block-allocation block-size

Configuring the NAT Rule for Deterministic NAPT

To configure the NAT rule for deterministic NAPT:

  1. Configure the NAT rule name.
  2. Configure the NAT rule match direction as input.
  3. Specify the addresses that are translated by the NAT rule.

    To specify one address:

    To specify a range of addresses:

  4. Specify the NAT pool that contains the addresses for translated traffic.
  5. Configure the translation type as deterministic NAPT44 or deterministic NAPT64.

Configuring the Service Set for Deterministic NAT

To configure the service set for deterministic NAPT:

  1. Define the service set.
  2. Configure either an interface service, which requires a single service interface, or a next-hop service, which requires an inside and outside service interface.

    or

  3. Specify the NAT rules or ruleset to be used with the service set.
Release History Table
Release
Description
Starting in Junos OS Release 17.4R1, deterministic NAPT64 is supported on the MS-MPC and MS-MIC.
Starting in Junos OS Release 17.4R1, deterministic NAPT64 is supported on the MS-MPC and MS-MIC.
Deterministic NAPT 44 is supported for MS-MPCs and MS-MICs starting in Junos OS release 17.3R1
Deterministic NAPT44 is supported for MS-MPCs and MS-MICs starting in Junos OS release 17.3R1
Starting in Junos OS Release 14.2R1, the sequential option is introduced to enable you to configure sequential allocation of ports.