Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Configuring Port Forwarding for Static Destination Address Translation

Starting with Junos OS Release 11.4, you can map an external IP address and port with an IP address and port in a private network. This allows the destination address and port of a packet to be changed to reach the correct host in a Network Address Translation (NAT) gateway. The translation facilitates reaching a host within a masqueraded, typically private, network, based on the port number on which the packet was received from the originating host. Port forwarding allows remote computers, such as public machines on the Internet, to connect to a non-standard port (port other than 80) of a specific computer within a private network. An example of this type of destination is the host of a public HTTP server within a private network. Port forwarding is supported only with dnat-44 and twice-napt-44 on IPv4 networks. Port forwarding works only with the FTP application-level gateway (ALG). Port forwarding also supports endpoint-independent mapping (EIM), endpoint-independent filltering (EIF), and address pooling paired (APP). Port forwarding has no support for technologies such as IPv6 rapid deployment (6rd) and dual-stack lite (DS-Lite) that offer IPv6 services over IPv4 infrastructure.

To configure destination address translation with port forwarding in IPv4 networks:

  1. In configuration mode, go to the [edit services nat] hierarchy level.
    [edit]user@host# editservices nat
  2. Configure the NAT pool with an address.
    [edit services nat]user@host# set pool pool-name address address

    In the following example, dest-pool is used as the pool name and 4.1.1.2 as the address. 

    user@host# set pool dest-pool address 4.1.1.2
  3. Configure the rule, match direction, term, and destination address.
    [edit services nat]user@host# set rule rule-name match-direction match-direction term term-name from destination-address address

    In the following example, the name of the rule is rule-dnat44, the match direction is input, the name of the term is t1, and the address is 20.20.20.20.

    [edit services nat]user@host# set rule rule-dnat44 match-direction input term t1 from destination-address 20.20.20.20
  4. Configure the destination port range.
    [edit services nat]user@host# set rule rule-name match-direction match-direction term term-name from destination-port range range high | low

    In the following example, the upper port range is 50 and the lower port range is 20.

    [edit services nat]user@host# set rule rule-dnat44 match-direction input term t1 from destination-port range range high 50 low 20
  5. Go to the [edit services nat rule rule-dnat44 term t1] hierarchy level.
    [edit services nat]user@host# edit rule rule-dnat44 term t1
  6. Configure the destination pool.
    [edit services nat rule rule-dnat44 term t1]user@host# set then translated destination-pool dest-pool-name

    In the following example, the destination pool name is dest-pool, and the translation type is dnat-44.

    [edit services nat rule rule-dnat44 term t1]user@host# set then translated destination-pool dest-pool
  7. Configure the mapping for port forwarding and the translation type.
    [edit services nat rule rule-dnat44 term t1]user@host# set then port-forwarding-mappings map-name translation-type translation-type

    In the following example, the port forwarding map name is map1, and the translation type is dnat-44.

    [edit services nat rule rule-dnat44 term t1]user@host# set then port-forwarding-mappings map1 translation-type dnat-44
  8. Go to the [edit services nat port-forwarding map1] hierarchy level.
    [edit services nat]user@host# edit port-forwarding map1
  9. Configure the mapping for port forwarding.
    [edit port-forwarding map1]user@host# set destined-port port-iduser@host# set translated-port port-id

    In the following example, the destination port is 45 and the translated port is 23.

    [edit port-forwarding map1]user@host# set destined-port 23user@host# set translated-port 45
    • Multiple port mappings are supported with port forwarding. Up to 32 port maps can be configured for port forwarding.
    • The destination port should not overlap the port range configured for NAT.
  10. Verify the configuration by using the show command at the [edit services nat] hierarchy level.
    [edit services]
user@host# show 
nat {
	pool dest-pool {
	    address 4.1.1.2/32;
	}
	rule rule-dnat44 {
	    match-direction input;
	    term t1 {
		from {
		    destination-address {
		        20.20.20.20/32;
		    }
		    destination-port {
		        range low 20 high 50;
		    }
		}
		then {
		    port-forwarding-mappings map1;
			 		translated {
		         destination-pool dest-pool;
		         translation-type {
		            	dnat-44;
		        			}
		    			}
					}
	   	}
	}
	port-forwarding map1 {
	    destined-port 45;
		 translated-port 23;
	    }
}
 

Related Documentation

 

Published: 2012-11-28

Previous Page Next Page