Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Network Address Port Translation

Configuring Address Pools for Network Address Port Translation (NAPT) Overview

With Network Address Port Translation (NAPT), you can configure up to 32 address ranges with up to 65,536 addresses each.

The port statement specifies port assignment for the translated addresses. To configure automatic assignment of ports, include the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level. By default, sequential allocation of ports occurs.

Starting with Junos OS Release 14.2, you can include the sequential option with the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level for sequenced allocation of ports from the specified range. To configure a specific range of port numbers, include the port range low minimum-value high maximum-value statement at the [edit services nat pool nat-pool-name] hierarchy level.

Note:

When 99% of the total available ports in pool for napt-44 , no new flows are allowed on that NAT pool.

Starting with Junos OS Release 14.2, the auto option is hidden and is deprecated, and is only maintained for backward compatibility. It might be removed completely in a future software release.

The Junos OS provides several alternatives for allocating ports:

Round-Robin Allocation for NAPT

To configure round-robin allocation for NAT pools, include the address-allocation round-robin configuration statement at the [edit services nat pool pool-name] hierarchy level. When you use round-robin allocation, one port is allocated from each address in a range before repeating the process for each address in the next range. After ports have been allocated for all addresses in the last range, the allocation process wraps around and allocates the next unused port for addresses in the first range.

  • The first connection is allocated to the address:port 100.0.0.1:3333.

  • The second connection is allocated to the address:port 100.0.0.2:3333.

  • The third connection is allocated to the address:port 100.0.0.3:3333.

  • The fourth connection is allocated to the address:port 100.0.0.4:3333.

  • The fifth connection is allocated to the address:port 100.0.0.5:3333.

  • The sixth connection is allocated to the address:port 100.0.0.6:3333.

  • The seventh connection is allocated to the address:port 100.0.0.7:3333.

  • The eighth connection is allocated to the address:port 100.0.0.8:3333.

  • The ninth connection is allocated to the address:port 100.0.0.9:3333.

  • The tenth connection is allocated to the address:port 100.0.0.10:3333.

  • The eleventh connection is allocated to the address:port 100.0.0.11:3333.

  • The twelfth connection is allocated to the address:port 100.0.0.12:3333.

  • Wraparound occurs and the thirteenth connection is allocated to the address:port 100.0.0.1:3334.

Sequential Allocation for NAPT

With sequential allocation, the next available address in the NAT pool is selected only when all the ports available from an address are exhausted.

Sequential Allocation can be configured only for the MS-DPC and the MS-100, MS-400, and MS-500 MultiServices PICS. The MS-MPC and MS-MIC cards use only the round-robin allocation approach.

Note:
  • This legacy implementation provides backward compatibility and is no longer a recommended approach.

The NAT pool called napt in the following configuration example uses the sequential implementation:

In this example, the ports are allocated starting from the first address in the first address-range, and allocation continues from this address until all available ports have been used. When all available ports have been used, the next address (in the same address-range or in the following address-range) is allocated and all its ports are selected as needed. In the case of the example napt pool, the tuple address, port 100.0.0.4:3333, is allocated only when all ports for all the addresses in the first range have been used.

  • The first connection is allocated to the address:port 100.0.0.1:3333.

  • The second connection is allocated to the address:port 100.0.0.1:3334.

  • The third connection is allocated to the address:port 100.0.0.2:3333.

  • The fourth connection is allocated to the address:port 100.0.0.2:3334, and so on.

Preserve Parity and Preserve Range for NAPT

Preserve parity and preserve range options are available for NAPT, and are supported on MS-DPCs and MS-100, MS-400, and MS-500 MultiServices PICS. Support for MS-MPCs and MS-MICs starts in Junos OS Release 15.1R1. The following options are available for NAPT:

  • Preserving parity—Use the preserve-parity command to allocate even ports for packets with even source ports and odd ports for packets with odd source ports.

  • Preserving range—Use the preserve-range command to allocate ports within a range from 0 to 1023, assuming the original packet contains a source port in the reserved range. This applies to control sessions, not data sessions.

Address Pooling and Endpoint Independent Mapping for NAPT

Address Pooling

Address pooling, or address pooling paired (APP) ensures assignment of the same external IP address for all sessions originating from the same internal host. You can use this feature when assigning external IP addresses from a pool. This option does not affect port utilization

Address pooling solves the problems of an application opening multiple connections. For example, when Session Initiation Protocol (SIP) client sends Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) packets, the SIP generally server requires that they come from the same IP address, even if they have been subject to NAT. If RTP and RTCP IP addresses are different, the receiving endpoint might drop packets. Any point-to-point (P2P) protocol that negotiates ports (assuming address stability) benefits from address pooling paired.

The following are use cases for address pooling:

  • A site that offers instant messaging services requires that chat and their control sessions come from the same public source address. When the user signs on to chat, a control session authenticates the user. A different session begins when the user starts a chat session. If the chat session originates from a source address that is different from the authentication session, the instant messaging server rejects the chat session, because it originates from an unauthorized address.

  • Certain websites such as online banking sites require that all connections from a given host come from the same IP address.

Note:

Starting with Junos OS Release 14.1, when you deactivate a service-set that contains address pooling paired (APP) for that service-set, messages are displayed on the PIC console and the mappings are cleared for that service-set. These messages are triggered when the deletion of a service-set commences and again generated when the deletion of the service-set is completed. The following sample messages are displayed when deletion starts and ends:

  • Nov 15 08:33:13.974 LOG: Critical] SVC-SET ss1 (iid 5) deactivate/delete: NAT Mappings and flows deletion initiated

  • Nov 15 08:33:14.674 LOG: Critical] SVC-SET ss1 (iid 5) deactivate/delete: NAT Mappings and flows deletion completed

In a scaled environment that contains a large number of APP in a service set, a heavy volume of messages is generated and this process takes some amount of time. We recommend that you wait until the console messages indicating the completion of deletion of the service set are completed before you reactivate the service-set again.

Endpoint Independent Mapping and Endpoint Independent Filtering

Endpoint independent mapping (EIM) ensures the assignment of the same external address and port for all connections from a given host if they use the same internal port. This means if they come from a different source port, you are free to assign a different external address.

EIM and APP differ as follows:

  • APP ensures assigning the same external IP address.

  • EIM provides a stable external IP address and port (for a period of time) to which external hosts can connect. Endpoint independent filtering (EIF) controls which external hosts can connect to an internal host.

Note:

Starting with Junos OS Release 14.1, when you deactivate a service-set that contains endpoint independent mapping (EIM) mapping for that service-set, messages are displayed on the PIC console and the mappings are cleared for that service-set. These messages are triggered when the deletion of a service-set commences and again generated when the deletion of the service-set is completed. The following sample messages are displayed when deletion starts and ends:

  • Nov 15 08:33:13.974 LOG: Critical] SVC-SET ss1 (iid 5) deactivate/delete: NAT Mappings and flows deletion initiated

  • Nov 15 08:33:14.674 LOG: Critical] SVC-SET ss1 (iid 5) deactivate/delete: NAT Mappings and flows deletion completed

In a scaled environment that contains a large number of EIM mappings in a service set, a heavy volume of messages is generated and this process takes some amount of time. We recommend that you wait until the console messages indicating the completion of deletion of the service set are completed before you reactivate the service-set again.

Secured Port Block Allocation for NAPT

Port block allocation is supported on MX series routers with MS-DPCs and on M Series routers with MS-100, MS-400, and MS-500 MultiServices PICS. Port block allocation is supported on MX series routers with MS-MPCs and MS-MICs starting in Junos OS release 14.2R2.

Carriers track subscribers using the IP address (RADIUS or DHCP) log. If they use NAPT, an IP address is shared by multiple subscribers, and the carrier must track the IP address and port, which are part of the NAT log. Because ports are used and reused at a very high rate, tracking subscribers using the log becomes difficult due to the large number of messages, which are difficult to archive and correlate. By enabling the allocation of ports in blocks, port block allocation can significantly reduce the number of logs, making it easier to track subscribers.

Secured Port Block Allocation for NAPT

Secured port block allocation can be used for translation types napt-44 and stateful-nat64.

When allocating blocks of ports, the most recently allocated block is the current active block. New requests for NAT ports are served from the active block. Ports are allocated randomly from the current active block.

When you configure secured port block allocation, you can specify the following:

  • block-size

  • max-blocks-per-address

  • active-block-timeout

Interim Logging for Port Block Allocation

With port block allocation we generate one syslog log per set of ports allocated for a subscriber. These logs are UDP based and can be lost in the network, particularly for long-running flows. Interim logging triggers re-sending the above logs at a configured interval for active blocks that have traffic on at least one of the ports of the block.

Interim logging is activated by including the pba-interim-logging-interval statement under services-options for sp- interfaces.

Comparison of NAPT Implementation Methods

Table 1 provides a feature comparison of available NAPT implementation methods.

Table 1: Comparison of NAPT Implementation Methods

Feature/Function

Dynamic Port Allocation

Secured Port Block Allocation

Deterministic Port Block Allocation

Users per IP

High

Medium

Low

Security Risk

Low

Medium

Medium

Log Utilization

High

Low

None (no logs necessary)

Security Risk Reduction

Random allocation

active-block-timeout feature

n/a

Increasing Users per IP

n/a

Configure multiples of smaller port blocks to maximize users/ public IP

Algorithm-based port allocation

Configuring NAPT in IPv4 Networks

Network Address Port Translation (NAPT) is a method by which many network addresses and their TCP/UDP ports are translated into a single network address and its TCP/UDP ports. This translation can be configured in both IPv4 and IPv6 networks. This section describes the steps for configuring NAPT in IPv4 networks.

To configure NAPT, you must configure a rule at the [edit services nat] hierarchy level for dynamically translating the source IPv4 addresses.

To configure the NAPT in IPv4 networks:

  1. In configuration mode, go to the [edit services] hierarchy level.
  2. Configure the service set and NAT rule.

    In the following example, the name of the service set is s1 and the name of the NAT rule is rule-napt-44.

  3. Go to the [interface-service] hierarchy level of the service set.
  4. Configure the service interface.

    In the following example, the name of the service interface is ms-0/1/0.

    Note:

    If the service interface is not present in the router, or the specified interface is not functional, the following command can result in an error.

  5. Go to the [edit services nat] hierarchy level. Issue the command from the top of the services hierarchy, or use the top keyword.
  6. Configure the NAT pool with an address.

    In the following example, the name of the pool is napt-pool and the address is 10.10.10.0.

  7. Configure the port.

    In the following example, the port type is selected as sequential or auto.

    Note:

    Starting in Junos OS Release 14.2, the sequential option is introduced to enable you to configure sequential allocation of ports. The sequential and random-allocation options available with the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level are mutually exclusive. You can include the sequential option for sequential allocation and the random-allocation option for random delegation of ports. By default, sequential allocation of ports takes place if you include only the port automatic statement at the [edit services nat pool nat-pool- name] hierarchy level. The auto option is hidden and is deprecated in Junos OS Release 14.2 and later, and is only maintained for backward compatibility. It might be removed completely in a future software release.

  8. Configure the rule and the match direction.

    In the following example, the name of the rule is rule-napt-44 and the match direction is input.

  9. Configure the term, the action for the translated traffic, and the translation type.

    In the following example, the name of the term is t1, the action for the translated traffic is translated, the name of the source pool is napt-pool, and the translation type is napt-44.

  10. Go to the [edit services adaptive-services-pics] hierarchy level. In the command, the top keyword ensures that the command is run from the top of the hierarchy.
  11. Configure the trace options.

    In the following example, the tracing parameter is configured as all.

  12. Verify the configuration by using the show command at the [edit services] hierarchy level.

The following example configures the translation type as napt-44.

Dynamic Address Translation to a Small Pool with Fallback to NAT

The following configuration shows dynamic address translation from a large prefix to a small pool, translating a /24 subnet to a pool of 10 addresses. When the addresses in the source pool (src-pool) are exhausted, NAT is provided by the NAPT overload pool (pat-pool).

Dynamic Address Translation with Small Pool

The following configuration shows dynamic address translation from a large prefix to a small pool, translating a /24 subnet to a pool of 10 addresses. Sessions from the first 10 host sessions are assigned an address from the pool on a first-come, first-served basis, and any additional requests are rejected. Each host with an assigned NAT can participate in multiple sessions.

Configuring NAPT in IPv6 Networks

Network Address Port Translation (NAPT) is a method by which many network addresses and their TCP/UDP ports are translated into a single network address and its TCP/UDP ports. This translation can be configured in both IPv4 and IPv6 networks. This section describes the steps for configuring NAPT in IPv6 networks. Configuring NAPT in IPv6 networks is not supported if you are using MS-MPCs or MS-MICs. For information about configuring NAPT in IPv4 networks, see Configuring NAPT in IPv4 Networks.

To configure NAPT, you must configure a rule at the [edit services nat] hierarchy level for dynamically translating the source IPv6 addresses.

To configure NAPT in IPv6 networks:

  1. In configuration mode, go to the [edit services nat] hierarchy level.
  2. Define the pool of IPv6 source addresses that must be used for dynamic translation. For NAPT, also specify port numbers when configuring the source pool. 

    For example:

  3. Define a NAT rule for translating the source addresses. To do this, set the match-direction statement of the rule as input. In addition, define a term that uses napt-66 as the translation type for translating the addresses of the pool defined in the previous step. Note that the napt-66 translation type is supported only on the MS-DPC, MS-100, MS-400, and MS-500 line cards.

    For example:

  4. Enter the up command to navigate to the [edit services] hierarchy level.
  5. Define a service set to specify the services interface that must be used, and reference the NAT rule implemented for NAPT translation.

    For example:

  6. Define the trace options for the adaptive services PIC.

    For example:

The following example configures dynamic source (address and port) translation or NAPT for an IPv6 network.

Example: Configuring NAT with Port Translation

This example shows how to configure NAT with port translation.

Requirements

This example uses the following hardware and software components:

  • An MX Series 5G Universal Routing Platform with a Services DPC or an M Series Multiservice Edge router with a services PIC

  • A domain name server (DNS)

  • Junos OS Release 11.4 or higher

Overview

This example shows a complete CGN NAT44 configuration and advanced options.

Configuring NAT with Port Translation

Procedure

Step-by-Step Procedure

To configure the service set:

  1. Configure a service set.

  2. In configuration mode, go to the [edit services nat] hierarchy level.

  3. Define the pool of source addresses that must be used for dynamic translation. For NAPT, also specify port numbers when configuring the source pool. 

    For example:

  4. Specify the NAT rule to be used.

  5. Define a NAT rule for translating the source addresses. To do this, set the match-direction statement of the rule as input. In addition, define a term that uses napt-44 as the translation type for translating the addresses of the pool defined in the previous step.

    For example:

  6. Specify the interface service.

Results

Example: NAPT Configuration on the MS-MPC With an Interface Service Set

This example shows how to configure network address translation with port translation (NAPT) on an MX series router using a MultiServices Modular Port Concentrator (MS-MPC) as a services interface card.

Requirements

This example uses the following hardware and software components:

  • MX-series router

  • MultiServices Modular Port Concentrator (MS-MPC)

  • Junos OS Release 13.2R1 or higher

Overview

A service provider has chosen an MS-MPC as a platform to provide NAT services to accommodate new subscribers.

Configuration

To configure NAPT44 using the MS-MPC as a services interface card, perform these tasks:

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Configuring Interfaces

Step-by-Step Procedure

Configure the interfaces required for NAT processing. You will need the following interfaces:

  • A customer-facing interface that handles traffic from and to the customer.

  • An internet-facing interface.

  • A services interface that provides NAT and stateful firewall services to the customer-facing interface

  1. Configure the interface for the customer-facing interface.

  2. Configure the interface for the Internet-facing interface.

  3. Configure the interface for the service set that will connect services to the customer-facing interface. In our example, the interface resides on an MS-MPC.

Configure an Application Set of Acceptable Application Traffic

Step-by-Step Procedure

Identify the acceptable applications for incoming traffic.

  1. Specify an application set that contains acceptable incoming application traffic.

Results

Configuring a Stateful Firewall Rule

Step-by-Step Procedure

Configure a stateful firewall rule that will accept all incoming traffic.

  1. Specify firewall matching for all input and output

  2. Identify source-address and acceptable application traffic from the customer-facing interface.

Results

Configuring NAT Pool and Rule

Step-by-Step Procedure

Configure a NAT pool and rule for address translation with automatic port assignment.

  1. Configure the NAT pool with automatic port assignment.

  2. Configure a NAT rule that applies translation type napt-44 using the defined NAT pool.

Results

Configuring the Service Set

Step-by-Step Procedure

Configure an interface type service set.

  1. Specify the NAT and stateful firewall rules that apply to customer traffic.

  2. Specify the services interface that applies the rules to customer traffic.

Results

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
14.2
Starting with Junos OS Release 14.2, you can include the sequential option with the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level for sequenced allocation of ports from the specified range.
14.2
Starting with Junos OS Release 14.2, the auto option is hidden and is deprecated, and is only maintained for backward compatibility.
14.2
Starting in Junos OS Release 14.2, the sequential option is introduced to enable you to configure sequential allocation of ports.
14.1
Starting with Junos OS Release 14.1, when you deactivate a service-set that contains address pooling paired (APP) for that service-set, messages are displayed on the PIC console and the mappings are cleared for that service-set.
14.1
Starting with Junos OS Release 14.1, when you deactivate a service-set that contains endpoint independent mapping (EIM) mapping for that service-set, messages are displayed on the PIC console and the mappings are cleared for that service-set.