• Download Software
• Research a Problem 
• Case Management 
• Contract & Product Management 
• Technical Documentation
  • Advanced Search
  • Documentation Archive
  • Documentation Bug Report
  • Enterprise MIBs
  • File Format Help
  • Glossary
  • Portable Libraries
• End-of-Life Products
• Contact Support
• Guidelines and Policies
• Security Resources

Configuring Pools of Addresses and Ports

You can use the pool statement to define the addresses (or prefixes), address ranges, and ports used for network address translation. You can also use the pgcp option with the pool statement to specify that NAT pool is used exclusively by the BGF. To configure the information, include the pool statement at the [edit services nat] hierarchy level:

To configure pools for traditional NAT, specify either a destination pool or a source pool. To configure pools for twice NAT, specify both the destination pool and the source pool.

With static source NAT and dynamic source NAT, you can specify multiple IPv4 or IPv6 addresses (or prefixes) and IPv4 and IPv6 address ranges. Up to 10 prefixes or address ranges (or a combination) can be supported within a single pool.

With static destination NAT, you can also specify multiple address prefixes and address ranges in a single term. Multiple destination NAT terms can share a destination NAT pool. However, the netmask or range for the from address must be smaller or equal to the netmask or range for the destination pool address. If you define the pool to be larger than required, some addresses will not be used. For example, if you define the pool size as 100 addresses and the rule specifies only 80 addresses, the last 20 addresses in the pool are not used.

For constraints on specific translation types, see Configuring Actions in NAT Rules.

With source static NAT, the prefixes and address ranges cannot overlap between separate pools. However, source dynamic NAT (without NAPT) and destination static NAT allow more than one rule or service set to refer to the same pool, and allow multiple pools to have subnets that can overlap. A prefix pool can be used by multiple rules or terms.

Note: When you configure address pools for NAT and user access, these address pools can overlap with one another. To configure overlapping address pools, include the address or address-range statement at the [edit access address-pool pool-name] and [edit services nat pool pool-name] hierarchy level.

In an address range, the low value must be a lower number than the high value. When multiple address ranges and prefixes are configured, the prefixes are depleted first, followed by the address ranges.

When you specify a port for dynamic source NAT, address ranges are limited to a maximum of 32 addresses, for a total of (32 x 65,535) or 2,097,120 flows. A dynamic NAT pool with no address port translation supports up to 65,535 addresses. There is no limit on the pool size for static source NAT.

The port statement specifies port assignment for the translated addresses. To configure automatic assignment of ports, include the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level. To configure a specific range of port numbers, include the port range low minimum-value high maximum-value statement at the [edit services nat pool nat-pool-name] hierarchy level. By default, the Junos OS allocates NAT ports sequentially. To configure random port allocation, include the random-allocation statement.

For compliance with RFC 4787, NAT Behavioral Requirements for Unicast UDP, you can configure the following statement:

This setting enables you to age out the NAT mappings created using a particular address pool. The timer has a default setting of 300 seconds and a range of 120 through 864,000 seconds.

Specifying Destination and Source Prefixes

You can directly specify the destination or source prefix used in network address translation without configuring a pool. When you configure prefixes for twice NAT, you must specify both a destination prefix and a source prefix.

To configure the information, include the rule statement at the [edit services nat] hierarchy level:

Requirements for NAT Addresses

You must configure a specific address, a prefix, or the address-range boundaries:

• The following addresses, while valid in inet.0, cannot be used for NAT translation:
  • 0.0.0.0/32
  • 127.0.0.0/8 (loopback)
  • 128.0.0.0/16 (martian)
  • 191.255.0.0/16 (martian)
  • 192.0.0.0/24 (martian)
  • 223.255.255.0/24 (martian)
  • 224.0.0.0/4 (multicast)
  • 240.0.0.0/4 (reserved)
  • 255.255.255.255 (broadcast)
• You can specify one or more IPv4 or IPv6 address prefixes in the pool statement and in the from clause of the NAT rule term. This enables you to configure source translation from a private subnet to a public subnet without defining a rule term for each address in the subnet. Destination translation cannot be configured by this method. For more information, see the configuration examples.
• When you configure static source NAT, the address prefix size you configure at the [edit services nat pool pool-name] hierarchy level must be larger than the source-address prefix range configured at the [edit services nat rule rule-name term term-name from] hierarchy level. The source-address prefix range must also map to a single subnet or range of IPv4 or IPv6 addresses in the pool statement. Any pool addresses that are not used by the source-address prefix range are left unused; pools cannot be shared.

Note: When you include a NAT configuration that changes IP addresses, it might affect forwarding path features elsewhere in your router configuration, such as source class usage (SCU), destination class usage (DCU), filter-based forwarding, or other features that target specific IP addresses or prefixes. NAT configuration might also affect routing protocols operation, because the protocol peering, neighbor, and interface addresses can be altered when routing protocols packets transit the Adaptive Services (AS) or Multiservices PIC.

Configuring IPv6 Multicast Filters

To enable multicast filters on Ethernet interfaces when IPv6 NAT is used for neighbor discovery, you must include the ipv6-multicast-interfaces statement at the [edit services nat] hierarchy level.

By default, multicast filters are not enabled on media interfaces. To enable filters on all interfaces, include the ipv6-multicast-interfaces all statement. To enable filters on a specified interface only, include the ipv6-multicast-interfaces interface-name statement.

To disable filters that were previously enabled, include the disable statement.