Configuring Addresses and Ports for Use in NAT Rules

For information about configuring translated addresses, see the following sections:

Configuring Pools of Addresses and Ports

To configure pools for NAT, you need to specify a destination pool or a source pool. You use the pool statement to define the addresses that constitute the pool. You can define the pool by specifying addresses (or prefixes), address ranges, and ports that need to be used for network address translation.

To configure a NAT pool, include the pool statement at the [edit services nat] hierarchy level:

The address statement specifies the addresses that constitute the pool. Using this statement, you define the pool by specifying the IP address and IP address prefix.

The address-range statement also specifies the addresses that constitute the pool. Using this statement, you define the pool by specifying an address range. In an address range, the low value must be a lower number than the high value. When multiple address ranges and prefixes are configured, the prefixes are depleted first, followed by the address ranges.

The port statement specifies port assignment for the translated addresses. To configure automatic assignment of ports, include the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level. To configure a specific range of port numbers, include the port range low minimum-value high maximum-value statement at the [edit services nat pool nat-pool-name] hierarchy level. By default, Junos OS allocates NAT ports sequentially. To change the way ports are allocated, you can use the preserve-parity command, which allocates even ports for packets with even destination ports and odd ports for packets with odd destination ports, or the preserve-range command, which allocates ports within a range from 0 through 1023 assuming the original packet contains a destination port in the reserved range. This behavior is applicable to control sessions and not data sessions.

Pool Configuration Constraints for NAT

You must consider the following constraints when configuring a pool for NAT:

• For static source NAT and dynamic source NAT, you can specify multiple IPv4 addresses (or prefixes) and IPv4 address ranges. Up to 32 prefixes or address ranges (or a combination) can be supported within a single pool.
• For static source NAT, the prefixes and address ranges cannot overlap between separate pools.
• For static destination NAT, you can specify multiple address prefixes and address ranges in a single term. Multiple destination NAT terms can share a destination NAT pool. However, the netmask or range for the from address must be smaller or equal to the netmask or range for the destination pool address. If you define the pool to be larger than required, some addresses are not used. For example, if you define the pool size as 100 addresses and the rule specifies only 80 addresses, the last 20 addresses in the pool are not used.
• When you specify a port for dynamic source NAT, address ranges are limited to a maximum of 65,000 addresses, for a total of (65,000 x 65,535) or 4,259,775,000 flows. A dynamic NAT pool with no address port translation supports up to 65,535 addresses. There is no limit on the pool size for static source NAT.
• With Network Address Port Translation (NAPT), you can configure up to 32 address ranges with up to 65,536 addresses each.

For constraints on specific translation types, see Configuring Actions in NAT Rules.

Specifying Destination and Source Prefixes

You can directly specify the destination or source prefix used in network address translation without configuring a pool.

To configure the information, include the rule statement at the [edit services nat] hierarchy level:

Requirements for NAT Addresses

When configuring NAT addresses, keep in mind the following requirements:

• The following addresses, while valid in inet.0, cannot be used for NAT translation:
  • 0.0.0.0/32
  • 127.0.0.0/8 (loopback)
  • 128.0.0.0/16 (martian)
  • 191.255.0.0/16 (martian)
  • 192.0.0.0/24 (martian)
  • 223.255.255.0/24 (martian)
  • 224.0.0.0/4 (multicast)
  • 240.0.0.0/4 (reserved)
  • 255.255.255.255 (broadcast)
• You can specify one or more IPv4 address prefixes in the pool statement and in the from clause of the NAT rule term. This enables you to configure source translation from a private subnet to a public subnet without defining a rule term for each address in the subnet. Destination translation cannot be configured by this method.
• When you configure static source NAT, the address prefix size you configure at the [edit services nat pool pool-name] hierarchy level must be larger than the source-address prefix range configured at the [edit services nat rule rule-name term term-name from] hierarchy level. The source-address prefix range must also map to a single subnet or range of IPv4 addresses in the pool statement. Any pool addresses that are not used by the source-address prefix range are left unused; pools cannot be shared.

Note: When you include a NAT configuration that changes IP addresses, the configuration might affect forwarding path features elsewhere in your router configuration, such as source class usage (SCU), destination class usage (DCU), filter-based forwarding, or other features that target specific IP addresses or prefixes. NAT configuration might also affect routing protocols operation, because the protocol peering, neighbor, and interface addresses can be altered when routing protocols packets transit the Multiservices PIC.