Supported Platforms
Configuring Address Pools for Network Address Port Translation (NAPT) Overview
With Network Address Port Translation (NAPT), you can configure up to 32 address ranges with up to 65,536 addresses each.
The port statement specifies port assignment for the translated addresses. To configure automatic assignment of ports, include the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level. To configure a specific range of port numbers, include the port range low minimum-value high maximum-value statement at the [edit services nat pool nat-pool-name] hierarchy level.
The Junos OS provides several alternatives for allocating ports:
Round-Robin Allocation for NAPT
To configure round-robin allocation for NAT pools, include the address-allocation round-robin configuration statement at the [edit services nat pool pool-name] hierarchy level. When you use round-robin allocation, one port is allocated from each address in a range before repeating the process for each address in the next range. After ports have been allocated for all addresses in the last range, the allocation process wraps around and allocates the next unused port for addresses in the first range.
- The first connection is allocated to the address:port 100.0.0.1:3333.
- The second connection is allocated to the address:port 100.0.0.2:3333.
- The third connection is allocated to the address:port 100.0.0.3:3333.
- The fourth connection is allocated to the address:port 100.0.0.4:3333.
- The fifth connection is allocated to the address:port 100.0.0.5:3333.
- The sixth connection is allocated to the address:port 100.0.0.6:3333.
- The seventh connection is allocated to the address:port 100.0.0.7:3333.
- The eighth connection is allocated to the address:port 100.0.0.8:3333.
- The ninth connection is allocated to the address:port 100.0.0.9:3333.
- The tenth connection is allocated to the address:port 100.0.0.10:3333.
- The eleventh connection is allocated to the address:port 100.0.0.11:3333.
- The twelfth connection is allocated to the address:port 100.0.0.12:3333.
- Wraparound occurs and the thirteenth connection is allocated to the address:port 100.0.0.1:3334.
Sequential Allocation for NAPT
With sequential allocation, the next available address in the NAT pool is selected only when all the ports available from an address are exhausted.
 | Note: This legacy implementation provides backward compatibility and is no longer a recommended approach.. |
The NAT pool called napt in the following configuration example uses the sequential implementation:
In this example, the ports are allocated starting from the first address in the first address-range, and allocation continues from this address until all available ports have been used. When all available ports have been used, the next address (in the same address-range or in the following address-range) is allocated and all its ports are selected as needed. In the case of the example napt pool, the tuple address, port 100.0.0.4:3333, is allocated only when all ports for all the addresses in the first range have been used.
- The first connection is allocated to the address:port 100.0.0.1:3333.
- The second connection is allocated to the address:port 100.0.0.1:3334.
- The third connection is allocated to the address:port 100.0.0.2:3333.
- The fourth connection is allocated to the address:port 100.0.0.2:3334, and so on.
Preserve Parity and Preserve Range for NAPT
The following options are available for NAPT:
- Preserving parity—Use the preserve-parity command to allocate even ports for packets with even source ports and odd ports for packets with odd source ports.
- Preserving range—Use the preserve-range command to allocate ports within a range from 0 to 1023, assuming the original packet contains a source port in the reserved range. This applies to control sessions, not data sessions.
Address Pooling and Endpoint Independent Mapping for NAPT
Address Pooling and Endpoint Independent Mapping for NAPT
Address Pooling
Address pooling, or address pooling paired (APP) ensures assignment of the same external IP address for all sessions originating from the same internal host. You can use this feature when assigning external IP addresses from a pool. This option does not affect port utilization
Address pooling solves the problems of an application opening multiple connections. For example, when Session Initiation Protocol (SIP) client sends Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) packets, the SIP generally server requires that they come from the same IP address, even if they have been subject to NAT. If RTP and RTCP IP addresses are different, the receiving endpoint might drop packets. Any point-to-point (P2P) protocol that negotiates ports (assuming address stability) benefits from address pooling paired.
The following are use cases for address pooling.
- A site that offers instant messaging services requires that chat and their control sessions come from the same public source address. When the user signs on to chat, a control session authenticates the user. A different session begins when the user starts a chat session. If the chat session originates from a source address that is different from the authentication session, the instant messaging server rejects the chat session, because it originates from an unauthorized address.
- Certain websites such as online banking sites require that all connections from a given host come from the same IP address.
Endpoint Independent Mapping and Endpoint Independent Filtering
Endpoint independent mapping (EIM) ensures the assignment of the same external address and port for all connections from a given host if they use the same internal port. This means if they come from a different source port, you are free to assign a different external address.
EIM and APP differ as follows:
- APP ensures assigning the same external IP address.
- EIM provides a stable external IP address and port (for a period of time) to which external hosts can connect. Endpoint independent filtering (EIF) controls which external hosts can connect to an internal host.
Port Block Allocation for NAPT
Carriers track subscribers using the IP address (RADIUS or DHCP) log. If they use NAPT, an IP address is shared by multiple subscribers, and the carrier must track the IP address and port, which are part of the NAT log. Because ports are used and reused at a very high rate, tracking subscribers using the log becomes difficult due to the large number of messages, which are difficult to archive and correlate. By enabling the allocation of ports in blocks, port block allocation can significantly reduce the number of logs, making it easier to track subscribers.
Port block allocation is supported on MX series routers wiith MultiServices Dense Port Concentrators (MS-DPCs).
Secured Port Block Allocation for NAPT
When allocating blocks of ports, the most recently allocated block is the current active block. New requests for NAT ports are served from the active block. Ports are allocated randomly from the current active block.
When you configure secured port block allocation, you can specify the following:
- block-size
- max-blocks-per-address
- active-block-timeout
Deterministic Port Block Allocation for NAPT
You can configure NAT algorithm-based allocation of blocks of destination ports. By specifying deterministic-port-block-allocation blocksize blocksize at the [edit services nat pool poolname port] hierarchy level, you ensure that an incoming (source) IP address and port always map to the same destination IP address and port, thus eliminating the need for the address translation logging. You can also specify include-boundary-addresses if you want the lowest and highest addresses in the source address range of a NAT rule to be translated when the NAT pool is used. When you use deterministic port block allocation, you must specify deterministic-nat44 as the translation-type in your NAT rule.
For detailed information on how to configure deterministic port block allocation, see Configuring Deterministic Port Block Allocation.
- Understanding Deterministic Port Block Allocation Algorithms
- Deterministic Port Block Allocation Algorithm Usage
- Deterministic Port Block Allocation Restrictions
Understanding Deterministic Port Block Allocation Algorithms
The effectiveness of your implementation of deterministic port block allocation depends on your analysis of your subscriber requirements. The block size you provide indicates how many ports will be made available for each incoming subscriber address in the range the from clause specified in the applicable NAT rule. The allocation algorithm computes an offset value to determine the outgoing port. A reverse algorithm is used to derive the originating subscriber address.
| Note: In order to track subscribers without using logs, an ISP must use a reverse algorithm to derive a subscriber (source) addresses from translated addresses. |
Deterministic Port Block Allocation Algorithm Usage
When you have configured deterministic port block allocation, you can use the show services nat deterministic-nat internal-host and show services nat deterministic-nat nat-port-block commands to show forward and reverse mapping. However, mappings will change if you reconfigure your deterministic port block allocation block size or the from clause for your NAT rule. In order to provide historical information on mappings, we recommend that you write scripts that can show specific mappings for prior configurations.
The following variables are used in forward calculation (private subscriber IP address to public IP address) and reverse calculation (public IP address to private subscriber IP address):
- Pr_Prefix—Any pre-NAT IPv4 subscriber address
- Pr_Port—Any pre-NAT protocol port
- Block_Size—Number of ports configured to be available for each Pr_Prefix
- Base_PR_Prefix—First usable pre-NAT IPv4 subscriber address in a “from” clause match condition
- Base_PU_Prefix—First usable post-NAT IPv4 subscriber address configured in the NAT pool.
- Pu_Port_Range_Start—1024 (ports 0 through 1023 are not used when port automatic is configured)
- Pr_Offset—Pr_Prefix – Base_Pr_Prefix
- PR_Port_Offset—Pr_Offset * Block_Size
- Pu_Prefix—Post-NAT address for a given Pr_Prefix
- Pu_Start_Port—Post-NAT start port for a flow from a given Pr_Prefix
- Pu_Actual_Port—Post-NAT port seen on a reverse flow
- Nr_Addr_PR_Prefix — Number of usable pre-NAT IPv4 subscriber addresses in a “from” clause match condition
- Nr_Addr_PU_Prefix — Number of usable post-NAT IPv4 addresses configured in the NAT pool
- Rounded_Port_Range_Per_IP — ceil[(Nr_Addr_PR_Prefix/Nr_Addr_PU_Prefix)] * Block_Size
- Pu_Offset—Pu_Prefix – Base_Pu_Prefix
- Pu_Port_Offset—(Pu_Offset * Port_Range_Per_Pu_IP) + (Pu_Actual_Port – Pu_Port_Start_Port)
| Note: If block-size is configured as zero, the method for computing the block size has changed and is computed as follows:
where 64512 is the maximum available port range per public IP address. |
Algorithm Usage–Assume the following configuration:
Forward Translation
- Pr_Offset = Pr_Prefix – Base_Pr_Prefix
- Pr_Port_Offset = Pr_Offset * Block_Size
- Rounded_Port_Range_Per_IP = ceil[(Nr_Addr_PR_Prefix/Nr_Addr_PU_Prefix)] * Block_Size
- Pu_Prefix = Base_Public_Prefix + floor(Pr_Port_Offset / Rounded_Port_Range_Per_IP)
- Pu_Start_Port = Pu_Port_Range_Start + (Pr_Port_Offset % Rounded_Port_Range_Per_IP)
Using the sample configuration and assuming a subscriber flow sourced from 10.1.1.250:5000:
- Pr_Offset = 10.1.1.250 – 10.1.0.1 = 505
- Pu_Port_Offset = 505 * 249 = 125,745
- Rounded_Port_Range_Per_IP = ceil[(65, 533/254)] * 249 = 259 * 249 = 64,491
- Pu_Prefix = 32.32.32.1 + floor(125,745 /64,491) = 32.32.32.1 +1 =32.32.32.2
- Pu_Start_Port = 1,024 + (125,745 % 64,491) = 62278
- 10.1.1.250 is translated to 32.32.32.2.
- The starting port is 62278. There are 249 ports available to the subscriber based on the configured block size. The available port range spans ports 62278 through 62526 (inclusive).
- The specific flow 10.1.1.250:5000 randomly assigns any of the ports in its range because random allocation was specified.
Reverse Translation
- Pu_Offset = Pu_Prefix – Base_Pu_Prefix
- Pu_Port_Offset = (Pu_Offset * Rounded_Port_Range_Per_IP) + (Pu_Actual_Port – Pu_Port_Range_Start)
- Subscriber_IP = Base_Pr_Prefix + floor(Pu_Port_Offset / Block_Size)
The reverse translation is determined as follows. Assume a flow returning to 32.32.32.2:62278.
- Pu_Offset = 32.32.32.2 – 32.32.32.1 = 1
- Pu_Port_Offset = (1 * 64,491) + (62,280 - 1024) = 125,747
- Subscriber_IP = 10.1.0.1 + floor(125,747 / 249) = 10.1.0.1 + 505 = 10.1.1.250
Note: In reverse translation, only the original private IP address can be derived, and not the original port in use. This is sufficiently granular for law enforcement requirements.
Deterministic Port Block Allocation Restrictions
When you configure deterministic port block allocation, you must be aware of the following restrictions. Violation of any restriction results in a commit error. The restrictions and their error messages are shown in Table 1
Table 1: Deterministic Port Block Allocation Commit Constraints
Restriction | Error Message |
|---|---|
The total number of deterministic NAT blocks must be greater than or equal to the 'from' clause addresses configured. This means that the Rounded_Port_Range_Per_IP value must be less than or equal to 64,512. | Number of addresses and port blocks combination in the NAT pool is less than number of addresses in 'from' clause |
IPv6 addresses should not be used in deterministic NAT pool/from clause. | Invalid IP address in pool p1 with translation type deterministic-napt44 OR There is already a range configured with v4 address range |
The from clause addresses should be same if the same deterministic NAT pool is used across multiple terms/rules. Only one from clause address/range should be specified if the same deterministic NAT pool is used across multiple terms/rules. | With translation-type deterministic-napt44, same 'from' address/range should be configured if pool is shared by multiple rules or terms |
There shouldn't be address overlap between except entries in the from clause addresses. | overlapping address, in the 'from' clause between 'except' entries |
A deterministic NAT pool cannot be used with other translation-types | Deterministic NAT pool cannot be used with other translation-types |
Deterministic NAPT44 must use a source pool with deterministic-port-block-allocation configuration | Deterministic NAPT44 must use a source pool with deterministic-port-block-allocation configuration |
If address-allocation round-robin is configured, a commit results in display of a warning indicating that this technique is not needed with translation-type deterministic-napt44 and is ignored. | Address allocation round-robin is not needed with translation-type deterministic-napt44 |
The total number of IP addresses assigned to a deterministic NAT pool should be less than or equal to 224 (16777216). | Number of addresses in pool with deterministic-napt44 translation are limited to at most 16777216(2^24) |
Comparision of NAPT Implementation Methods
Table 2 provides a feature comparison of available NAPT implementation methods.
Table 2: Comparison of NAPT Implementation Methods
Feature/Function | Dynamic Port Allocation | Secured Port Block Allocation | Deterministic Port Block Allocation |
|---|---|---|---|
Users per IP | High | Medium | Low |
Security Risk | Low | Medium | Medium |
Log Utilization | High | Low | None (no logs necessary) |
Security Risk Reduction | Random allocation | active-block-timeout feature | n/a |
Increasing Users per IP | n/a | Configure multiples of smaller port blocks to maximize users/ public IP | Algorithm-based port allocation |
