Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuring Network Address Port Translation for Next Gen Services

Configuring the Source Pool for NAPT

To configure the source pool for NAPT:

  1. Create a source pool.
  2. Define the addresses or subnets to which source addresses are translated.

    or

  3. To configure automatic port assignment for the pool, specify either random allocation or round-robin allocation. Round-robin allocation is the default.

    Random allocation randomly assigns a port from the range 1024 through 65535 for each port translation. Round-robin allocation first assigns port 1024, and uses the next higher port for each successive port assignment.

  4. To disable round-robin port allocation for all NAT pools that do not specify an automatic (random-allocation | round-robin) setting, configure the global setting.
  5. To configure a range of ports to assign to a pool, perform the following:
    Note:

    If you specify a range of ports to assign, the automatic statement is ignored.

    1. Specify the low and high values for the port. If you do not configure automatic port assignment, you must configure a range of ports.
    2. Specify either random allocation or round-robin allocation. Round-robin allocation is the default.
  6. Assign a port within the same range as the incoming port—either 0 through 1023 or 1024 through 65,535. This feature is not available if you configure port-block allocation.
  7. Assign a port with the same parity (even or odd) as the incoming source port. This feature is not available if you configure port-block allocation.
  8. Configure a global default port range for NAT pools that use port translation. This port range is used when a NAT pool does not specify a port range and does not specify automatic port assignment. The global port range can be from 1024 through 65,535.
  9. If you want to allocate a block of ports for each subscriber to use for NAPT, configure port-block allocation:
    1. Configure the number of ports in a block. The range is 1 through 64,512 and the default is 128.
    2. Configure the interval, in seconds, for which the block is active. After the timeout, a new block is allocated, even if ports are available in the active block. If you set the timeout to 0, port blocks are filled completely before a new port block is allocated, and the last port block remains active indefinitely. The range is 0 through 86,400, and the default is 0.
    3. Specify the timeout period for address-pooling paired mappings that use the NAT pool. The range is 120 through 86,400 seconds, and the default is 300. Mappings that are inactive for this amount of time are dropped.

      If you do not configure ei-mapping-timeout for endpoint independent translations, then the mapping-timeout value is used for endpoint independent translations.

    4. Configure the maximum number of blocks that can be allocated to a user address. The range is 1 through 512, and the default is 8.
    5. Specify how often to send interim system logs for active port blocks and for inactive port blocks with live sessions. This increases the reliability of system logs, which are UDP-based and can get lost in the network. The range is 1800 through 86,400 seconds, and the default is 0 (interim logs are disabled).
  10. Specify the timeout period for endpoint independent translations that use the specified NAT pool. Mappings that are inactive for this amount of time are dropped. The range is 120 through 86,400 seconds. If you do not configure ei-mapping-timeout, then the mapping-timeout value is used for endpoint independent translations.
  11. Specify the timeout period for address-pooling paired mappings that use the NAT pool. The range is 120 through 86,400 seconds, and the default is 300. Mappings that are inactive for this amount of time are dropped.

    If you do not configure ei-mapping-timeout for endpoint independent translations, then the mapping-timeout value is used for endpoint independent translations.

  12. Define the NAT pool utilization levels that trigger SNMP traps. The raise-threshold is the pool utilization percentage that triggers the trap, and the range is 50 through 100. The clear-threshold is the pool utilization percentage that clears the trap, and the range is 40 through 100. For pools that use port-block allocation, the utilization is based on the number of ports that are used; for pools that do not use port-block allocation, the utilization is based on the number of addresses that are used.

    If you do not configure pool-utilization-alarm, traps are not created.

  13. To allow the IP addresses of a NAT pool to overlap with IP addresses in pools used in other service sets, configure allow-overlapping-pools. However, pools that configure port-block allocation must not overlap with other pools.

Configuring the NAT Source Rule for NAPT

To configure the NAT source rule for NAPT:

  1. Configure the NAT rule name.
  2. Specify the traffic direction to which the NAT rule set applies.
  3. Specify the source addresses that are translated by the source NAT rule.

    To specify one address or prefix value:

    To specify a range of addresses, configure an address book global address with the desired address range, and assign the global address to the NAT rule:

    To specify any unicast address:

  4. Specify one or more application protocols to which the NAT rule applies. The number of applications listed in the rule must not exceed 3072.
  5. Specify the NAT pool that contains the addresses for translated traffic.
  6. Configure the address-pooling paired feature if you want to ensure assignment of the same external IP address for all sessions originating from the same internal host.
  7. If you want to ensure that the same external address and port are assigned to all connections from a given host, configure endpoint-independent mapping:
    1. Configure the mapping type as endpoint independent.
    2. Specify prefix lists that contain the hosts that are allowed to establish inbound connections using the endpoint-independent mapping. (Prefix lists are configured at the [edit policy-options] hierarchy level.)
    3. Specify the maximum number of inbound flows allowed simultaneously on an endpoint-independent mapping.
    4. Specify the direction in which active endpoint-independent mapping is refreshed. By default, mapping is refreshed for both inbound and outbound active flows.
  8. Configure the generation of a syslog when traffic matches the NAT rule conditions.

Configuring the Service Set for NAPT

To configure the service set for NAPT:

  1. Define the service set.
  2. Configure either an interface service, which requires a single service interface, or a next-hop service, which requires an inside and outside service interface.

    or

  3. Specify the NAT rule sets to be used with the service set.

Related Documentation