close

keyboard_arrow_left

Table of Contents Expand all

play_arrow Overview
- play_arrow Next Gen Services Overview
  - Next Gen Services Overview
- play_arrow Configuration Overview
- play_arrow Global System Logging Overview and Configuration
- play_arrow Next Gen Services SNMP MIBS and Traps
  - Next Gen Services SNMP MIBs and Traps
play_arrow Carrier Grade NAT (CGNAT)
- play_arrow Deterministic NAT Overview and Configuration
  - Deterministic NAPT Overview for Next Gen Services
  - Configuring Deterministic NAPT for Next Gen Services
- play_arrow Dynamic Address-Only Source NAT Overview and Configuration
  - Dynamic Address-Only Source Translation Overview
  - Configuring Dynamic Address-Only Source NAT for Next Gen Services
- play_arrow Network Address Port Translation Overview and Configuration
  - Network Address Port Translation (NAPT) Overview
  - Configuring Network Address Port Translation for Next Gen Services
  - Configuring Syslog Events for NAT Rule Conditions with Next Gen Services
- play_arrow NAT46
  - NAT46 Next Gen Services Configuration Examples
- play_arrow Stateful NAT64 Overview and Configuration
  - Stateful NAT64 Overview
  - IPv4 Addresses Embedded in IPv6 Addresses
  - Configuring Next Gen Services Stateful NAT64
- play_arrow IPv4 Connectivity Across IPv6-Only Network Using 464XLAT Overview and Configuration
  - 464XLAT Overview
  - IPv4 Addresses Embedded in IPv6 Addresses
  - Configuring 464XLAT Provider-Side Translator for IPv4 Connectivity Across IPv6-Only Network for Next Gen Services
- play_arrow IPv6 NAT Protocol Translation (NAT PT)
  - IPv6 NAT PT Overview
  - IPv6 NAT-PT Communication Overview
- play_arrow Stateless Source Network Prefix Translation for IPv6 Overview and Configuration
  - Stateless Source Network Prefix Translation for IPv6
- play_arrow Transitioning to IPv6 Using Softwires
  - 6rd Softwires in Next Gen Services
- play_arrow Transitioning to IPv6 Using DS-Lite Softwires
  - DS-Lite Softwires—IPv4 over IPv6 for Next Gen Services
  - Configuring Next Gen Services DS-Lite Softwires
  - DS-Lite Subnet Limitation
  - Protecting CGN Devices Against Denial of Service (DOS) Attacks
- play_arrow Reducing Traffic and Bandwidth Requirements Using Port Control Protocol
  - Port Control Protocol Overview
  - Configuring Port Control Protocol
- play_arrow Transitioning to IPv6 Using Mapping of Address and Port with Encapsulation (MAP-E)
  - Mapping of Address and Port with Encapsulation (MAP-E) for Next Gen Services
  - Equal Cost Multiple Path (ECMP) support for Mapping of Address and Port with Encapsulation (MAP-E)
- play_arrow Monitoring and Troubleshooting Softwires
  - Ping and Traceroute for DS-Lite
  - Monitoring Softwire Statistics
  - Monitoring CGN, Stateful Firewall, and Softwire Flows
- play_arrow Port Forwarding Overview and Configuration
  - Port Forwarding for Next Gen Services
- play_arrow Port Translation Features Overview and Configuration
  - Address Pooling and Endpoint Independent Mapping for Port Translation
  - Round-Robin Port Allocation
  - Secured Port Block Allocation for Port Translation
- play_arrow Static Source NAT Overview and Configuration
  - Static Source NAT Overview
  - Configuring Static Source NAT44 or NAT66 for Next Gen Services
- play_arrow Static Destination NAT Overview and Configuration
  - Static Destination NAT Overview
  - Configuring Static Destination NAT for Next Gen Services
- play_arrow Twice NAPT Overview and Configuration
  - Twice NAPT Overview
  - Configuring Twice NAPT for Next Gen Services
- play_arrow Twice NAT Overview and Configuration
  - Twice Static NAT Overview
  - Configuring Twice Static NAT44 for Next Gen Services
  - Twice Dynamic NAT Overview
  - Configuring Twice Dynamic NAT for Next Gen Services
- play_arrow Class of Service Overview and Configuration
  - Class of Service for Services PICs (Next Gen Services)
play_arrow Stateful Firewall Services
- play_arrow Stateful Firewall Services Overview and Configuration
  - Stateful Firewall Overview for Next Gen Services
  - Configuring Stateful Firewalls for Next Gen Services
play_arrow Intrusion Detection Services
- play_arrow IDS Screens for Network Attack Protection Overview and Configuration
play_arrow Traffic Load Balancing
- play_arrow Traffic Load Balancing Overview and Configuration
  - Traffic Load Balancer Overview
  - Configuring TLB
play_arrow DNS Request Filtering
- play_arrow DNS Request Filtering Overview and Configuration
  - DNS Request Filtering for Disallowed Website Domains
  - DNS Request Filtering System Logging Error Messages
play_arrow URL Filtering
- play_arrow URL Filtering
  - URL Filtering Overview
  - Configuring URL Filtering
play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
- play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
  - Integration of Juniper ATP Cloud and Web Filtering on MX Series Routers
play_arrow Aggregated Multiservices Interfaces
- play_arrow Enabling Load Balancing and High Availability Using Multiservices Interfaces
play_arrow Inter-Chassis Services PIC High Availability
- play_arrow Inter-Chassis Services PIC High Availability Overview and Configuration
play_arrow Application Layer Gateways
- play_arrow Enabling Traffic to Pass Securely Using Application Layer Gateways
play_arrow NAT, Stateful Firewall, and IDS Flows
- play_arrow Inline NAT Services Overview and Configuration
play_arrow Configuration Statements
- Junos CLI Reference Overview

list Table of Contents

English

Configuring Next Gen Services Stateful NAT64

date_range 06-Dec-23

arrow_backward

arrow_forward

Perform the following steps to configure Next Gen Services Stateful NAT64

Configuring the Source Pool for Stateful NAT64

To configure the source pool for Stateful NAT64:

Create a source pool.

content_copy zoom_out_map
user@host# edit services nat source pool nat-pool-name

Define the addresses or subnets to which source addresses are translated.
```
[edit services nat source pool nat-pool-name]
user@host# set address address-prefix
```
or
```
[edit services nat source pool nat-pool-name]
user@host# set address address-prefix to address address-prefix
```
To disable round-robin port allocation for all NAT pools that do not specify an automatic (random-allocation | round-robin) setting, configure the global setting.
```
[edit services nat source]
user@host# set port-round-robin disable
```
To configure a range of ports to assign to a pool, perform the following:

Note:
If you specify a range of ports to assign, the automatic statement is ignored.
1. Specify the low and high values for the port. If you do not configure automatic port assignment, you must configure a range of ports.
  [edit services nat source pool nat-pool-name port] user@host# set range port-low to port-high
2. Specify either random allocation or round-robin allocation. Round-robin allocation is the default.
  [edit services nat source pool nat-pool-name port range] user@host# set (random-allocation | round-robin)
Assign a port within the same range as the incoming port—either 0 through 1023 or 1024 through 65,535. This feature is not available if you configure port-block allocation.
```
[edit services nat source pool nat-pool-name port]
user@host# set preserve-range
```
Assign a port with the same parity (even or odd) as the incoming port. This feature is not available if you configure port-block allocation.
```
[edit services nat source pool nat-pool-name port]
user@host# set preserve-parity
```
Configure a global default port range for NAT pools that use port translation. This port range is used when a NAT pool does not specify a port range and does not specify automatic port assignment. The global port range can be from 1024 through 65,535.
```
[edit services nat source]
user@host# set pool-default-port-range port-low to port-high
```

Configure the source pool without port translation.

content_copy zoom_out_map
[edit services nat source pool nat-pool-name]
user@host# set address-pooling no-paired

Configure the maximum number of ports that can be allocated for each host. The range is 2 through 65,535.
```
[edit services nat source pool nat-pool-name]
user@host# set limit-ports-per-host number
```
If you want to allocate a block of ports for each subscriber to use, configure port-block allocation:
1. Configure the number of ports in a block. The range is 1 through 64,512 and the default is 128.
  [edit services nat source pool nat-pool-name port] user@host# set block-allocation block-size block-size
2. Configure the interval, in seconds, for which the block is active. After the timeout, a new block is allocated, even if ports are available in the active block. If you set the timeout to 0, port blocks are filled completely before a new port block is allocated, and the last port block remains active indefinitely. The range is 0 through 86,400, and the default is 0.
  [edit services nat source pool nat-pool-name port block-allocation] user@host# set active-block-timeout timeout-interval
3. Specify the timeout period for address-pooling paired mappings that use the NAT pool. The range is 120 through 86,400 seconds, and the default is 300. Mappings that are inactive for this amount of time are dropped.
  [edit services nat source pool nat-pool-name] user@host# set mapping-timeout mapping-timeout
  If you do not configure ei-mapping-timeout for endpoint independent translations, then the mapping-timeout value is used for endpoint independent translations.
4. Configure the maximum number of blocks that can be allocated to a user address. The range is 1 through 512, and the default is 8.
  [edit services nat source pool nat-pool-name port block-allocation] user@host# set maximum-blocks-per-host maximum-block-number
5. Specify how often to send interim system logs for active port blocks and for inactive port blocks with live sessions. This increases the reliability of system logs, which are UDP-based and can get lost in the network. The range is 1800 through 86,400 seconds, and the default is 0 (interim logs are disabled).
  [edit services nat source pool nat-pool-name port block-allocation] user@host# set interim-logging-interval timeout-interval
Specify the timeout period for endpoint independent translations that use the specified NAT pool. Mappings that are inactive for this amount of time are dropped. The range is 120 through 86,400 seconds. If you do not configure ei-mapping-timeout, then the mapping-timeout value is used for endpoint independent translations.
```
[edit services nat source pool nat-pool-name]
user@host# set ei-mapping-timeout ei-mapping-timeout
```
Specify the timeout period for address-pooling paired mappings that use the NAT pool. The range is 120 through 86,400 seconds, and the default is 300. Mappings that are inactive for this amount of time are dropped.
```
[edit services nat source pool nat-pool-name]
user@host# set mapping-timeout mapping-timeout
```
If you do not configure ei-mapping-timeout for endpoint independent translations, then the mapping-timeout value is used for endpoint independent translations.
To allow the IP addresses of a NAT source pool to overlap with IP addresses in pools used in other service sets, configure allow-overlapping-pools.
```
[edit services nat]
user@host# set allow-overlapping-pools
```

Configuring the NAT Rules for Stateful NAT64

For Stateful NAT64, you must configure a source rule and a destination rule. To configure the NAT rules for Stateful NAT64:

Configure the source NAT rule name.

content_copy zoom_out_map
 [edit services nat source]
user@host# set rule-set rule-set-name rule rule-name

Specify the traffic direction to which the NAT rule set applies.

content_copy zoom_out_map
 [edit services nat source rule-set rule-set-name]
user@host# set match-direction (in | out | in-out)

Specify the IPv6 source addresses that are translated by the NAT rule.

content_copy zoom_out_map
 [edit services nat source rule-set rule-set-name rule rule-name]
user@host# set match source-address address

Configure the matching destination address as 0.0.0.0/0.

content_copy zoom_out_map
 [edit services nat source rule-set rule-set-name rule rule-name]
user@host# set match destination-address 0.0.0.0/0

Specify one or more application protocols to which the NAT rule applies. The number of applications listed in the rule must not exceed 3072.
```
 [edit services nat source rule-set rule-set-name rule rule-name]
user@host# set match application [application-name]
```

Specify the NAT source pool that contains the addresses for translated source addresses.

content_copy zoom_out_map
 [edit services nat source rule-set rule-set-name rule rule-name]
user@host# set then source-nat pool nat-pool-name

Configure endpoint-independent mapping, which ensures that the same external address and port are assigned to all connections from a given host.
1. Configure the mapping type as endpoint independent.
  [edit services nat source rule-set rule-set-name rule rule-name then source-nat] user@host# set mapping-type endpoint-independent
2. Specify prefix lists that contain the hosts that are allowed to establish inbound connections using the endpoint-independent mapping. (Prefix lists are configured at the [edit policy-options] hierarchy level.)
  [edit services nat source rule-set rule-set-name rule rule-name then source-nat] user@host# set filtering-type endpoint-independent prefix-list [allowed-host] except [denied-host]
3. Specify the maximum number of inbound flows allowed simultaneously on an endpoint-independent mapping.
  [edit services nat source rule-set rule-set-name rule rule-name then source-nat] user@host# set secure-nat-mapping eif-flow-limit number-of-flows
4. Specify the direction in which active endpoint-independent mapping is refreshed. By default, mapping is refreshed for both inbound and outbound active flows.
  [edit services nat source rule-set rule-set-name rule rule-name then source-nat] user@host# set secure-nat-mapping mapping-refresh (inbound | inbound-outbound | outbound)

Configure the destination NAT rule name.

content_copy zoom_out_map
 [edit services nat destination]
user@host# set rule-set rule-set-name rule rule-name

Specify the traffic direction to which the destination NAT rule set applies.

content_copy zoom_out_map
 [edit services nat destination rule-set rule-set-name]
user@host# set match-direction (in | out | in-out)

Specify the IPv6 prefix source addresses that are translated by the destination NAT rule. Use the same value that you used for the NAT source rule.
```
 [edit services nat destination rule-set rule-set-name rule rule-name]
user@host# set match source-address address
```

Specify the prefix that is used to embed the IPv4 destination address in the IPv6 destination address.

content_copy zoom_out_map
 [edit services nat destination rule-set rule-set-name rule rule-name]
user@host# set then destination-nat destination-prefix destination-prefix

Configure the IPv6 destination address to match. This is the IPv4 destination address embedded in IPv6 by using the destination-prefix.
```
 [edit services nat destination rule-set rule-set-name rule rule-name]
user@host# set match destination-address address
```

Configure the generation of a syslog when traffic matches the NAT rule conditions.

content_copy zoom_out_map
 [edit services nat (source | destination) rule-set rule-set-name rule rule-name then]
user@host# set syslog

Configuring the Service Set for Stateful NAT64

To configure the service set for stateful NAT64:

Define the service set.

content_copy zoom_out_map
 [edit services]
user@host# edit service-set service-set-name

Configure either an interface service, which requires a single service interface, or a next-hop service, which requires an inside and outside service interface.

content_copy zoom_out_map
 [edit services service-set service-set-name]
user@host# set interface-service service-interface interface-name

content_copy zoom_out_map
 [edit services service-set service-set-name]
user@host# set next-hop-service inside-service-interface interface-name outside-service-interface interface-name

Specify the NAT rule sets to be used with the service set.

content_copy zoom_out_map
 [edit services service-set service-set-name]
user@host# set nat-rule-sets rule-set-name

Clearing the Don’t Fragment Bit

To prevent unnecessary creation of IPv6 fragmentation headers when translating IPv4 packets that are less than 1280 bytes, you can specify that the don’t fragment (DF) bit for IPv4 packet headers is cleared when the packet length is less than 1280 bytes.

content_copy zoom_out_map
 [edit services nat natv6v4]
user@host# set clear-dont-fragment-bit

arrow_backward PREVIOUS IPv4 Addresses Embedded in IPv6 Addresses

NEXT arrow_forward 464XLAT Overview

Next Gen Services Interfaces User Guide for Routing Devices

ON THIS PAGE

Configuring Next Gen Services Stateful NAT64

Configuring the Source Pool for Stateful NAT64

Configuring the NAT Rules for Stateful NAT64

Configuring the Service Set for Stateful NAT64

Clearing the Don’t Fragment Bit

Stay in touch

Helped me install or use the product
Accelerated my deployment

Discuss the product with a co-worker
Make a purchase inquiry

Next Gen Services Interfaces User Guide for Routing Devices

ON THIS PAGE

Configuring Next Gen Services Stateful NAT64

Configuring the Source Pool for Stateful NAT64

Configuring the NAT Rules for Stateful NAT64

Configuring the Service Set for Stateful NAT64

Clearing the Don’t Fragment Bit

Related Documentation

Stay in touch