Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuring Twice NAPT for Next Gen Services

Configuring the Source and Destination Pools for Twice NAPT

To configure the source and destination pools for twice NAPT:

  1. Create a source pool.
  2. Define the addresses or subnets to which source addresses are translated.

    or

  3. To configure automatic port assignment, specify either random allocation or round-robin allocation.

    Random allocation randomly assigns a port from the range 1024 through 65535 for each port translation. Round robin allocation first assigns port 1024, and uses the next higher port for each successive port assignment. Round robin allocation is the default.

  4. To disable round-robin port allocation for all NAT pools that do not specify an automatic (random-allocation | round-robin) setting, configure the global setting.
  5. To configure a range of ports to assign to a pool, perform the following:
    Note:

    If you specify a range of ports to assign, the automatic statement is ignored.

    1. Specify the low and high values for the port. If you do not configure automatic port assignment, you must configure a range of ports.
    2. Specify either random allocation or round-robin allocation. Round-robin allocation is the default.
  6. Assign a port within the same range as the incoming port—either 0 through 1023 or 1024 through 65,535. This feature is not available if you configure port-block allocation.
  7. Assign a port with the same parity (even or odd) as the incoming port. This feature is not available if you configure port-block allocation.
  8. Configure a global default port range for NAT pools that use port translation. This port range is used when a NAT pool does not specify a port range and does not specify automatic port assignment. The global port range can be from 1024 through 65,535.
  9. If you want to allocate a block of ports for each subscriber to use for NAPT, configure port-block allocation:
    1. Configure the number of ports in a block. The range is 1 through 64,512 and the default is 128.
    2. Configure the interval, in seconds, for which the block is active. After the timeout, a new block is allocated, even if ports are available in the active block. If you set the timeout to 0, port blocks are filled completely before a new port block is allocated, and the last port block remains active indefinitely. The range is 0 through 86,400, and the default is 0.
    3. Specify the timeout period for address-pooling paired mappings that use the NAT pool. The range is 120 through 86,400 seconds, and the default is 300. Mappings that are inactive for this amount of time are dropped.

      If you do not configure ei-mapping-timeout for endpoint independent translations, then the mapping-timeout value is used for endpoint independent translations.

    4. Configure the maximum number of blocks that can be allocated to a user address. The range is 1 through 512, and the default is 8.
    5. Specify how often to send interim system logs for active port blocks and for inactive port blocks with live sessions. This increases the reliability of system logs, which are UDP-based and can get lost in the network. The range is 1800 through 86,400 seconds, and the default is 0 (interim logs are disabled).
  10. Specify the timeout period for endpoint independent translations that use the specified NAT pool. Mappings that are inactive for this amount of time are dropped. The range is 120 through 86,400 seconds. If you do not configure ei-mapping-timeout, then the mapping-timeout value is used for endpoint independent translations.
  11. Specify the timeout period for address-pooling paired mappings that use the NAT pool. The range is 120 through 86,400 seconds, and the default is 300. Mappings that are inactive for this amount of time are dropped.

    If you do not configure ei-mapping-timeout for endpoint independent translations, then the mapping-timeout value is used for endpoint independent translations.

  12. Define the NAT pool utilization levels that trigger SNMP traps. The raise-threshold is the pool utilization percentage that triggers the trap, and the range is 50 through 100. The clear-threshold is the pool utilization percentage that clears the trap, and the range is 40 through 100. For pools that use port-block allocation, the utilization is based on the number of ports that are used; for pools that do not use port-block allocation, the utilization is based on the number of addresses that are used.

    If you do not configure pool-utilization-alarm, traps are not created.

  13. Create a destination pool. Do not use the same name that you used for the source pool.
  14. Define the addresses or subnets to which destination addresses are translated.
  15. To allow the IP addresses of a NAT source pool or destination pool to overlap with IP addresses in pools used in other service sets, configure allow-overlapping-pools. However, pools that configure port-block allocation must not overlap with other pools.

Configuring the NAT Rules for Twice NAPT

To configure the source and destination NAT rules for twice NAPT:

  1. Configure the source NAT rule name.
  2. Specify the traffic direction to which the NAT rule set applies.
  3. Specify the addresses that are translated by the source NAT rule.

    To specify one address or prefix value:

    To specify a range of addresses, configure an address book global address with the desired address range, and assign the global address to the NAT rule:

    To specify any unicast address:

  4. Specify one or more application protocols to which the NAT rule applies. The number of applications listed in the rule must not exceed 3072.
  5. Specify the NAT pool that contains the addresses for translated traffic.
  6. If you want to ensure that the same external address and port are assigned to all connections from a given host, configure endpoint-independent mapping:
    1. Configure the mapping type as endpoint independent.
    2. Specify prefix lists that contain the hosts that are allowed to establish inbound connections using the endpoint-independent mapping. (Prefix lists are configured at the [edit policy-options] hierarchy level.)
    3. Specify the maximum number of inbound flows allowed simultaneously on an endpoint-independent mapping.
    4. Specify the direction in which active endpoint-independent mapping is refreshed. By default, mapping is refreshed for both inbound and outbound active flows.
  7. Configure the generation of a syslog when traffic matches the NAT rule conditions.
  8. Configure the destination NAT rule name.
  9. Specify the traffic direction to which the destination NAT rule set applies.
  10. Specify the destination addresses of traffic that the destination NAT rule applies to.

    To specify a range of addresses, configure an address book global address with the desired address range, and assign the global address to the NAT rule:

    To specify any unicast address:

  11. Specify one or more application protocols to which the destination NAT rule applies. The number of applications listed in the rule must not exceed 3072.
  12. Specify the destination NAT pool that contains the destination addresses for translated traffic.
  13. Configure the generation of a syslog when traffic matches the destination NAT rule match conditions.

Configuring the Service Set for Twice NAPT

To configure the service set for twice NAPT:

  1. Define the service set.
  2. Configure either an interface service, which requires a single service interface, or a next-hop service, which requires an inside and outside service interface.

    or

  3. Specify the NAT rule sets to be used with the service set. Include the source NAT rule set and the destination NAT rule set.