Configuring Addresses and Ports for Use in NAT Rules
For information about configuring translated addresses, see the following sections:
Configuring Pools of Addresses and Ports
You can use the pool statement to define the addresses (or prefixes), address ranges, and ports used for Network Address Translation (NAT). To configure the information, include the pool statement at the [edit services nat] hierarchy level:
To configure pools for traditional NAT, specify either a destination pool or a source pool.
With static source NAT and dynamic source NAT, you can specify multiple IPv4 addresses (or prefixes) and IPv4 address ranges. Up to 32 prefixes or address ranges (or a combination) can be supported within a single pool.
With static destination NAT, you can also specify multiple address prefixes and address ranges in a single term. Multiple destination NAT terms can share a destination NAT pool. However, the netmask or range for the from address must be smaller than or equal to the netmask or range for the destination pool address. If you define the pool to be larger than required, some addresses will not be used. For example, if you define the pool size as 100 addresses and the rule specifies only 80 addresses, the last 20 addresses in the pool are not used.
For constraints on specific translation types, see Configuring Actions in NAT Rules.
With source static NAT, the prefixes and address ranges cannot overlap between separate pools.
In an address range, the low value must be a lower number than the high value. When multiple address ranges and prefixes are configured, the prefixes are depleted first, followed by the address ranges.
When you specify a port for dynamic source NAT, address ranges are limited to a maximum of 65,000 addresses, for a total of (65,000 x 65,535) or 4,259,775,000 flows. A dynamic NAT pool with no address port translation supports up to 65,535 addresses. There is no limit on the pool size for static source NAT.
Preserve Range and Preserve Parity
You can configure your carrier-grade NAT (CGN) to preserve the range or parity of the packet source port when it allocates a source port for an outbound connection. You can configure the preserve parity and preserve range options under the NAT pool definition by including the preserve-range and preserve-parity configuration statements at the [edit services nat pool poolname port] hierarchy level.
- Preserve range—RFC 4787, Network Address Translation (NAT) Behavioral Requirements for Unicast UDP, defines two ranges: 0 through 1023, and 1024 through 65,535. When the preserve-range knob is configured and the incoming port falls into one of these ranges, CGN allocates a port from that range only. However, if there is no available port in the range, the port allocation request fails and that session is not created. The failure is reflected on counters and system logging, but no Internet Control Message Protocol (ICMP) message is generated. If this knob is not configured, allocation is based on the configured port range without regard to the port range that contains the incoming port. The exception is some application-level gateways (ALGs), such as hello, that have special zones.
- Preserve parity—When the preserve-parity knob is configured, CGN allocates a port with the same even or odd parity as the incoming port. If the incoming port number is odd or even, the outgoing port number should correspondingly be odd or even. If a port number of the desired parity is not available, the port allocation request fails, the session is not created, and the packet is dropped.
Configuring Address Pools for Network Address Port Translation
With Network Address Port Translation (NAPT), you can configure up to 32 address ranges with up to 65,536 addresses each.
The port statement specifies port assignment for the translated addresses. To configure automatic assignment of ports, include the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level. To configure a specific range of port numbers, include the port range low minimum-value high maximum-value statement at the [edit services nat pool nat-pool-name] hierarchy level.
The Junos OS provides several alternatives for allocating ports:
- Round-Robin Allocation
- Sequential
- Port Block Allocation
- Additional Options for NAPT
- Comparision of NAPT Implementation Methods
Round-Robin Allocation
To configure round-robin allocation for NAT pools, include the address-allocation round-robin configuration statement at the [edit services nat pool pool-name] hierarchy level. When you use round-robin allocation, one port is allocated from each address in a range before repeating the process for each address in the next range. After ports have been allocated for all addresses in the last range, the allocation process wraps around and allocates the next unused port for addresses in the first range.
- The first connection is allocated to the address:port 100.0.0.1:3333.
- The second connection is allocated to the address:port 100.0.0.2:3333.
- The third connection is allocated to the address:port 100.0.0.3:3333.
- The fourth connection is allocated to the address:port 100.0.0.4:3333.
- The fifth connection is allocated to the address:port 100.0.0.5:3333.
- The sixth connection is allocated to the address:port 100.0.0.6:3333.
- The seventh connection is allocated to the address:port 100.0.0.7:3333.
- The eighth connection is allocated to the address:port 100.0.0.8:3333.
- The ninth connection is allocated to the address:port 100.0.0.9:3333.
- The tenth connection is allocated to the address:port 100.0.0.10:3333.
- The eleventh connection is allocated to the address:port 100.0.0.11:3333.
- The twelfth connection is allocated to the address:port 100.0.0.12:3333.
- Wraparound occurs and the thirteenth connection is allocated to the address:port 100.0.0.1:3334.
Sequential
With sequential allocation, the next available address in the NAT pool is selected only when all the ports available from an address are exhausted.
 | Note: This legacy implementation provides backward compatibility. |
The NAT pool called napt in the following configuration example uses the sequential implementation:
In this example, the ports are allocated starting from the first address in the first address-range, and allocation continues from this address until all available ports have been used. When all available ports have been used, the next address (in the same address-range or in the following address-range) is allocated and all its ports are selected as needed. In the case of the example napt pool, the tuple address, port 100.0.0.4:3333, is allocated only when all ports for all the addresses in the first range have been used.
- The first connection is allocated to the address:port 100.0.0.1:3333.
- The second connection is allocated to the address:port 100.0.0.1:3334.
- The third connection is allocated to the address:port 100.0.0.2:3333.
- The fourth connection is allocated to the address:port 100.0.0.2:3334, and so on.
Port Block Allocation
Carriers track subscribers using the IP address (RADIUS or DHCP) log. If they use CGN, an IP address is shared by multiple subscribers, and the carrier must track the IP address and port, which are part of the NAT log. Because ports are used and reused at a very high rate, tracking subscribers using the log becomes difficult due to the large number of messages, which are difficult to archive and correlate. By enabling the allocation of ports in blocks, port block allocation can significantly reduce the number of logs, making it easier to track subscribers.
Port block allocation is supported on MX series routers wiith MultiServices Dense Port Concentrators (MS-DPCs).
Secured Port Block Allocation
When allocating blocks of ports, the most recently allocated block is the current active block. New requests for NAT ports are served from the active block. Ports are allocated randomly from the current active block.
When you configure secured port block allocation, you can specify the following:
- block-size
- max-blocks-per-address
- active-block-timeout
Deterministic Port Block Allocation
You can configure NAT algorithm-based allocation of blocks of destination ports. By specifying deterministic-port-block-allocation blocksize blocksize at the [edit services nat pool poolname port] hierarchy level, you ensure that an incoming (source) IP address and port always map to the same destination IP address and port, thus eliminating the need for the address translation logging. When you use deterministic port block allocation, you must specify deterministic-nat44 as the translation-type in your NAT rule.
For detailed information on how to configure deterministic port block allocation, see Configuring Deterministic Port Block Allocation.
Understanding Deterministic Port Block Allocation Algorithms
The effectiveness of your implementation of deterministic port block allocation depends on your analysis of your subscriber requirements. The block size you provide indicates how many ports will be made available for each incoming subscriber address in the range the from clause specified in the applicable NAT rule. The allocation algorithm computes an offset value to determine the outgoing port. A reverse algorithm is used to derive the originating subscriber address.
| Note: In order to track subscribers without using logs, an ISP must use a reverse algorithm to derive a subscriber (source) addresses from translated addresses. |
Deterministic Port Block Allocation Algorithm Usage
When you have configured deterministic port block allocation, you can use the show services nat deterministic-nat internal-host and show services nat deterministic-nat nat-port-block commands to show forward and reverse mapping. However, mappings will change if you reconfigure your deterministic port block allocation block size or the from clause for your NAT rule. In order to provide historical information on mappings, we recommend that you write scripts that can show specific mappings for prior configurations.
The following variables are used in forward calculation (private subscriber IP address to public IP address) and reverse calculation (public IP address to private subscriber IP address):
- Pr_Prefix—Any pre-NAT IPv4 subscriber address
- Pr_Port—Any pre-NAT protocol port
- Block_Size—Number of ports configured to be available for each Pr_Prefix
- Base_PR_Prefix—First usable pre-NAT IPv4 subscriber address in a “from” clause match condition
- Base_PU_Prefix—First usable post-NAT IPv4 subscriber address configured in the NAT pool.
- Pu_Port_Range_Start—1024 (ports 0 through 1023 are not used when port automatic is configured)
- Pr_Offset—Pr_Prefix – Base_Pr_Prefix
- PR_Port_Offset—Pr_Offset * Block_Size
- Pu_Prefix—Post-NAT address for a given Pr_Prefix
- Pu_Start_Port—Post-NAT start port for a flow from a given Pr_Prefix
- Pu_Actual_Port—Post-NAT port seen on a reverse flow
- Port_Range_Per_Pu_IP—64,512 (65,536 – 1024), constant as privileged ports are unused due to “port automatic” configuration)
- Pu_Offset—Pu_Prefix – Base_Pu_Prefix
- Pu_Port_Offset—(Pu_Offset * Port_Range_Per_Pu_IP) + (Pu_Actual_Port – Pu_Port_Start_Port)
| Note:
If block-size is configured as zero, the block size
per user is computed by the Junos OS by the following formula: |
Algorithm Usage–Assume the following configuration:
Forward Translation
- Pr_Offset = Pr_Prefix – Base_Pr_Prefix
- Pr_Port_Offset = Pr_Offset * Block_Size
- Pu_Prefix = Base_Public_Prefix + (Pr_Port_Offset / Port_Range_Per_IP)
- Pu_Start_Port = Pu_Port_Range_Start + (Pr_Port_Offset % Port_Range_Per_IP)
Using the sample configuration and assuming a subscriber flow sourced from 10.1.1.250:5000:
- Pr_Offset = 10.1.1.250 – 10.1.0.1 = 505
- Pu_Port_Offset = 505 * 256 = 129,280
- Pu_Prefix = 32.32.32.1 + (129,280 / 64,512) = 32.32.32.3
- Pu_Start_Port = 1,024 + (129,280 % 64,512) = 1,280
- 10.1.1.250 is translated to 32.32.32.3.
- The starting port is 1280. There are 256 ports available to the subscriber based on the configured block size. The available port range spans ports 1280 through 1535 (inclusive).
- The specific flow 10.1.1.250:5000 randomly assigns any of the ports in its range because random allocation was specified.
Reverse Translation
- Pu_Offset = Pu_Prefix – Base_Pu_Prefix
- Pu_Port_Offset = (Pu_Offset * Port_Range_Per_Pu_IP) + (Pu_Actual_Port – Pu_Port_Range_Start)
- Subscriber_IP = Base_Pr_Prefix + (Pu_Port_Offset / Block_Size)
The reverse translation is determined as follows. Assume a flow returning to 32.32.32.3:1400.
- Pu_Offset = 32.32.32.3 – 32.32.32.1 = 2
- Pu_Port_Offset = (2 * 64,512) + (1400 - 1024) = 129,400
- Subscriber_IP = 10.1.0.1 + (129,400 / 256) = 10.1.1.250
Note: In reverse translation, only the original private IP address can be derived, and not the original port in use. This is sufficiently granular for law enforcement requirements.
Deterministic Port Block Allocation Restrictions
When you configure deterministic port block allocation, you must be aware of the following restrictions. Violation of any restriction results in a commit error. The restrictions and their error messages are shown in Table 1
Table 1: Deterministic Port Block Allocation Commit Constraints
Restiction | Error Message |
|---|---|
The total number of deterministic NAT blocks must be greater than or equal to the 'from' clause addresses configured. | Number of addresses and port blocks combination in the NAT pool is less than number of addresses in 'from' clause |
IPv6 addresses should not be used in deterministic NAT pool/from clause. | Invalid IP address in pool p1 with translation type deterministic-napt44 OR There is already a range configured with v4 address range |
The from clause addresses should be same if the same deterministic NAT pool is used across multiple terms/rules. Only one from clause address/range should be specified if the same deterministic NAT pool is used across multiple terms/rules. | With translation-type deterministic-napt44, same 'from' address/range should be configured if pool is shared by multiple rules or terms |
There shouldn't be address overlap between except entries in the from clause addresses. | overlapping address, in the 'from' clause between 'except' entries |
A deterministic NAT pool cannot be used with other translation-types | Deterministic NAT pool cannot be used with other translation-types |
Deterministic NAPT44 must use a source pool with deterministic-port-block-allocation configuration | Deterministic NAPT44 must use a source pool with deterministic-port-block-allocation configuration |
If address-allocation round-robin is configured, a commit results in display of a warning indicating that this technique is not needed with translation-type deterministic-napt44 and is ignored. | Address allocation round-robin is not needed with translation-type deterministic-napt44 |
The total number of IP addresses assigned to a deterministic NAT pool should be less than or equal to 224 (16777216). | Number of addresses in pool with deterministic-napt44 translation are limited to at most 16777216(2^24) |
Additional Options for NAPT
The following options are available for NAPT:
- Preserving parity—Use the preserve-parity command to allocate even ports for packets with even source ports and odd ports for packets with odd source ports.
- Preserving range—Use the preserve-range command to allocate ports within a range from 0 to 1023, assuming the original packet contains a source port in the reserved range. This applies to control sessions, not data sessions.
Comparision of NAPT Implementation Methods
Table 2 provides a feature comparison of available NAPT implementation methods.
Table 2: Comparison of NAPT Implementation Methods
Feature/Function | Dynamic Port Allocation | Secured Port Block Allocation | Deterministic Port Block Allocation |
|---|---|---|---|
Users per IP | High | Medium | Low |
Security Risk | Low | Medium | Medium |
Log Utilization | High | Low | None (no logs necessary) |
Security Risk Reduction | Random allocation | active-block-timeout feature | n/a |
Increasing Users per IP | n/a | Configure multiples of smaller port blocks to maximize users/ public IP | Algorithm-based port allocation |
Specifying Destination and Source Prefixes
You can directly specify the destination or source prefix used in NAT without configuring a pool.
To configure the information, include the rule statement at the [edit services nat] hierarchy level:
Requirements for NAT Addresses
You must configure a specific address, a prefix, or the address-range boundaries:
- The following addresses, while valid in inet.0, cannot be used for NAT translation:
- 0.0.0.0/32
- 127.0.0.0/8 (loopback)
- 128.0.0.0/16 (martian)
- 191.255.0.0/16 (martian)
- 192.0.0.0/24 (martian)
- 223.255.255.0/24 (martian)
- 224.0.0.0/4 (multicast)
- 240.0.0.0/4 (reserved)
- 255.255.255.255 (broadcast)
- You can specify one or more IPv4 address prefixes in the pool statement and in the from clause of the NAT rule term. This enables you to configure source translation from a private subnet to a public subnet without defining a rule term for each address in the subnet. Destination translation cannot be configured by this method. For more information, see Examples: Configuring NAT Rules.
- When you configure static source NAT, the address prefix size you configure at the [edit services nat pool pool-name] hierarchy level must be larger than the source-address prefix range configured at the [edit services nat rule rule-name term term-name from] hierarchy level. The source-address prefix range must also map to a single subnet or range of IPv4 or IPv6 addresses in the pool statement. Any pool addresses that are not used by the source-address prefix range are left unused. Pools cannot be shared.
| Note: When you include a NAT configuration that changes IP addresses, it might affect forwarding path features elsewhere in your router configuration, such as source class usage (SCU), destination class usage (DCU), filter-based forwarding, or other features that target specific IP addresses or prefixes. NAT configuration might also affect routing protocol operation, because the protocol peering, neighbor, and interface addresses can be altered when routing protocols packets transit the Adaptive Services (AS) or Multiservices PIC. |
