Network Address Port Translation
Configuring Address Pools for Network Address Port Translation (NAPT) Overview
With Network Address Port Translation (NAPT), you can configure up to 32 address ranges with up to 65,536 addresses each.
The port statement specifies port assignment for
the translated addresses. To configure automatic assignment of ports,
include the port automatic statement at the [edit
services nat pool nat-pool-name] hierarchy
level. By default, sequential allocation of ports occurs.
Starting with Junos OS
Release 14.2, you can include the sequential option with
the port automatic statement at the [edit services
nat pool nat-pool-name] hierarchy level
for sequenced allocation of ports from the specified range. To configure a specific range of port numbers, include the port range low minimum-value high maximum-value statement at the [edit services
nat pool nat-pool-name] hierarchy level.
When 99% of the total available ports in pool for napt-44 , no new flows are allowed on that NAT pool.
Starting with Junos OS
Release 14.2, the auto option is hidden and is deprecated,
and is only maintained for backward compatibility. It might be removed completely in a future software release.
The Junos OS provides several alternatives for allocating ports:
- Round-Robin Allocation for NAPT
- Sequential Allocation for NAPT
- Preserve Parity and Preserve Range for NAPT
- Address Pooling and Endpoint Independent Mapping for NAPT
- Secured Port Block Allocation for NAPT
- Comparison of NAPT Implementation Methods
Round-Robin Allocation for NAPT
To configure round-robin allocation for NAT pools, include the address-allocation round-robin configuration
statement at the [edit services nat pool pool-name] hierarchy level. When you use round-robin
allocation, one port is allocated from each address in a range before
repeating the process for each address in the next range. After ports
have been allocated for all addresses in the last range, the allocation
process wraps around and allocates the next unused port for addresses
in the first range.
The first connection is allocated to the address:port 100.0.0.1:3333.
The second connection is allocated to the address:port 100.0.0.2:3333.
The third connection is allocated to the address:port 100.0.0.3:3333.
The fourth connection is allocated to the address:port 100.0.0.4:3333.
The fifth connection is allocated to the address:port 100.0.0.5:3333.
The sixth connection is allocated to the address:port 100.0.0.6:3333.
The seventh connection is allocated to the address:port 100.0.0.7:3333.
The eighth connection is allocated to the address:port 100.0.0.8:3333.
The ninth connection is allocated to the address:port 100.0.0.9:3333.
The tenth connection is allocated to the address:port 100.0.0.10:3333.
The eleventh connection is allocated to the address:port 100.0.0.11:3333.
The twelfth connection is allocated to the address:port 100.0.0.12:3333.
Wraparound occurs and the thirteenth connection is allocated to the address:port 100.0.0.1:3334.
Sequential Allocation for NAPT
With sequential allocation, the next available address in the NAT pool is selected only when all the ports available from an address are exhausted.
Sequential Allocation can be configured only for the MS-DPC and the MS-100, MS-400, and MS-500 MultiServices PICS. The MS-MPC and MS-MIC cards use only the round-robin allocation approach.
This legacy implementation provides backward compatibility and is no longer a recommended approach.
The NAT pool called napt in the following configuration example uses the sequential implementation:
pool napt {
address-range low 100.0.0.1 high 100.0.0.3;
address-range low 100.0.0.4 high 100.0.0.6;
address-range low 100.0.0.8 high 100.0.0.10;
address-range low 100.0.0.12 high 100.0.0.13;
port {
range low 3333 high 3334;
}
}
In this example, the ports are allocated starting from the first address in the first address-range, and allocation continues from this address until all available ports have been used. When all available ports have been used, the next address (in the same address-range or in the following address-range) is allocated and all its ports are selected as needed. In the case of the example napt pool, the tuple address, port 100.0.0.4:3333, is allocated only when all ports for all the addresses in the first range have been used.
The first connection is allocated to the address:port 100.0.0.1:3333.
The second connection is allocated to the address:port 100.0.0.1:3334.
The third connection is allocated to the address:port 100.0.0.2:3333.
The fourth connection is allocated to the address:port 100.0.0.2:3334, and so on.
Preserve Parity and Preserve Range for NAPT
Preserve parity and preserve range options are available for NAPT, and are supported on MS-DPCs and MS-100, MS-400, and MS-500 MultiServices PICS. Support for MS-MPCs and MS-MICs starts in Junos OS Release 15.1R1. The following options are available for NAPT:
Preserving parity—Use the
preserve-paritycommand to allocate even ports for packets with even source ports and odd ports for packets with odd source ports.Preserving range—Use the
preserve-rangecommand to allocate ports within a range from 0 to 1023, assuming the original packet contains a source port in the reserved range. This applies to control sessions, not data sessions.
Address Pooling and Endpoint Independent Mapping for NAPT
Address Pooling
Address pooling, or address pooling paired (APP) ensures assignment of the same external IP address for all sessions originating from the same internal host. You can use this feature when assigning external IP addresses from a pool. This option does not affect port utilization
Address pooling solves the problems of an application opening multiple connections. For example, when Session Initiation Protocol (SIP) client sends Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) packets, the SIP generally server requires that they come from the same IP address, even if they have been subject to NAT. If RTP and RTCP IP addresses are different, the receiving endpoint might drop packets. Any point-to-point (P2P) protocol that negotiates ports (assuming address stability) benefits from address pooling paired.
The following are use cases for address pooling:
A site that offers instant messaging services requires that chat and their control sessions come from the same public source address. When the user signs on to chat, a control session authenticates the user. A different session begins when the user starts a chat session. If the chat session originates from a source address that is different from the authentication session, the instant messaging server rejects the chat session, because it originates from an unauthorized address.
Certain websites such as online banking sites require that all connections from a given host come from the same IP address.
Starting with Junos OS Release 14.1, when you deactivate a service-set that contains address pooling paired (APP) for that service-set, messages are displayed on the PIC console and the mappings are cleared for that service-set. These messages are triggered when the deletion of a service-set commences and again generated when the deletion of the service-set is completed. The following sample messages are displayed when deletion starts and ends:
Nov 15 08:33:13.974 LOG: Critical] SVC-SET ss1 (iid 5) deactivate/delete: NAT Mappings and flows deletion initiated
Nov 15 08:33:14.674 LOG: Critical] SVC-SET ss1 (iid 5) deactivate/delete: NAT Mappings and flows deletion completed
In a scaled environment that contains a large number of APP in a service set, a heavy volume of messages is generated and this process takes some amount of time. We recommend that you wait until the console messages indicating the completion of deletion of the service set are completed before you reactivate the service-set again.
Endpoint Independent Mapping and Endpoint Independent Filtering
Endpoint independent mapping (EIM) ensures the assignment of the same external address and port for all connections from a given host if they use the same internal port. This means if they come from a different source port, you are free to assign a different external address.
EIM and APP differ as follows:
APP ensures assigning the same external IP address.
EIM provides a stable external IP address and port (for a period of time) to which external hosts can connect. Endpoint independent filtering (EIF) controls which external hosts can connect to an internal host.
Starting with Junos OS Release 14.1, when you deactivate a service-set that contains endpoint independent mapping (EIM) mapping for that service-set, messages are displayed on the PIC console and the mappings are cleared for that service-set. These messages are triggered when the deletion of a service-set commences and again generated when the deletion of the service-set is completed. The following sample messages are displayed when deletion starts and ends:
Nov 15 08:33:13.974 LOG: Critical] SVC-SET ss1 (iid 5) deactivate/delete: NAT Mappings and flows deletion initiated
Nov 15 08:33:14.674 LOG: Critical] SVC-SET ss1 (iid 5) deactivate/delete: NAT Mappings and flows deletion completed
In a scaled environment that contains a large number of EIM mappings in a service set, a heavy volume of messages is generated and this process takes some amount of time. We recommend that you wait until the console messages indicating the completion of deletion of the service set are completed before you reactivate the service-set again.
Secured Port Block Allocation for NAPT
Port block allocation is supported on MX series routers with MS-DPCs and on M Series routers with MS-100, MS-400, and MS-500 MultiServices PICS. Port block allocation is supported on MX series routers with MS-MPCs and MS-MICs starting in Junos OS release 14.2R2.
Carriers track subscribers using the IP address (RADIUS or DHCP) log. If they use NAPT, an IP address is shared by multiple subscribers, and the carrier must track the IP address and port, which are part of the NAT log. Because ports are used and reused at a very high rate, tracking subscribers using the log becomes difficult due to the large number of messages, which are difficult to archive and correlate. By enabling the allocation of ports in blocks, port block allocation can significantly reduce the number of logs, making it easier to track subscribers.
Secured Port Block Allocation for NAPT
Secured port block allocation can be used for translation types napt-44 and stateful-nat64.
When allocating blocks of ports, the most recently allocated block is the current active block. New requests for NAT ports are served from the active block. Ports are allocated randomly from the current active block.
When you configure secured port block allocation, you can specify the following:
block-sizemax-blocks-per-addressactive-block-timeout
Interim Logging for Port Block Allocation
With port block allocation we generate one syslog log per set of ports allocated for a subscriber. These logs are UDP based and can be lost in the network, particularly for long-running flows. Interim logging triggers re-sending the above logs at a configured interval for active blocks that have traffic on at least one of the ports of the block.
Interim logging is activated by including the pba-interim-logging-interval statement under services-options for sp- interfaces.
See Also
Comparison of NAPT Implementation Methods
Table 1 provides a feature comparison of available NAPT implementation methods.
Feature/Function |
Dynamic Port Allocation |
Secured Port Block Allocation |
Deterministic Port Block Allocation |
|---|---|---|---|
Users per IP |
High |
Medium |
Low |
Security Risk |
Low |
Medium |
Medium |
Log Utilization |
High |
Low |
None (no logs necessary) |
Security Risk Reduction |
Random allocation |
active-block-timeout feature |
n/a |
Increasing Users per IP |
n/a |
Configure multiples of smaller port blocks to maximize users/ public IP |
Algorithm-based port allocation |
Configuring NAPT in IPv4 Networks
Network Address Port Translation (NAPT) is a method by which many network addresses and their TCP/UDP ports are translated into a single network address and its TCP/UDP ports. This translation can be configured in both IPv4 and IPv6 networks. This section describes the steps for configuring NAPT in IPv4 networks.
To configure NAPT, you must configure a rule at the [edit
services nat] hierarchy level for dynamically translating the
source IPv4 addresses.
To configure the NAPT in IPv4 networks:
The following example configures the translation type as napt-44.
[edit services]
user@host# show
service-set s1 {
nat-rules rule-napt-44;
interface-service {
service-interface ms-0/1/0;
}
}
nat {
pool napt-pool {
address 10.10.10.0/32;
port {
automatic auto;
}
}
rule rule-napt-44 {
match-direction input;
term t1 {
then {
translated {
source-pool napt-pool;
translation-type {
napt-44;
}
}
}
}
}
}
adaptive-services-pics {
traceoptions {
flag all;
}
}
Dynamic Address Translation to a Small Pool with Fallback to NAT
The following configuration shows dynamic address translation from a large prefix to a small pool, translating a /24 subnet to a pool of 10 addresses. When the addresses in the source pool (src-pool) are exhausted, NAT is provided by the NAPT overload pool (pat-pool).
[edit services nat]
pool src-pool {
address-range low 192.16.2.1 high 192.16.2.10;
}
pool pat-pool {
address-range low 192.16.2.11 high 192.16.2.12;
port automatic auto;
rule myrule {
match-direction input;
term myterm {
from {
source-address 10.150.1.0/24;
}
then {
translated {
source-pool src-pool;
overload-pool pat-pool;
translation-type napt-44;
}
}
}
}
Dynamic Address Translation with Small Pool
The following configuration shows dynamic address translation from a large prefix to a small pool, translating a /24 subnet to a pool of 10 addresses. Sessions from the first 10 host sessions are assigned an address from the pool on a first-come, first-served basis, and any additional requests are rejected. Each host with an assigned NAT can participate in multiple sessions.
[edit services nat]
pool my-pool {
address-range low 10.10.10.1 high 10.10.10.10;
}
rule src-nat {
match-direction input;
term t1 {
from {
source-address 192.168.1.0/24;
}
then {
translated {
translation-type dynamic-nat44;
source-pool my-pool;
}
}
}
}
Configuring NAPT in IPv6 Networks
Network Address Port Translation (NAPT) is a method by which many network addresses and their TCP/UDP ports are translated into a single network address and its TCP/UDP ports. This translation can be configured in both IPv4 and IPv6 networks. This section describes the steps for configuring NAPT in IPv6 networks. Configuring NAPT in IPv6 networks is not supported if you are using MS-MPCs or MS-MICs. For information about configuring NAPT in IPv4 networks, see Configuring NAPT in IPv4 Networks.
To configure NAPT, you must configure a rule at the [edit
services nat] hierarchy level for dynamically translating the
source IPv6 addresses.
To configure NAPT in IPv6 networks:
The following example configures dynamic source (address and port) translation or NAPT for an IPv6 network.
[edit services]
user@host# show
service-set IPV6-NAPT-ServiceSet {
nat-rules IPV6-NAPT-Rule;
interface-service {
service-interface sp-0/1/0;
}
}
nat {
pool IPV6-NAPT-Pool {
address 2002::1/96;
port automatic sequential;
}
rule IPV6-NAPT-Rule {
match-direction input;
term term1 {
then {
translated {
source-pool IPV6-NAPT-Pool;
translation-type {
napt-66;
}
}
}
}
}
}
adaptive-services-pics {
traceoptions {
flag all;
}
}
}Example: Configuring NAT with Port Translation
This example shows how to configure NAT with port translation.
Requirements
This example uses the following hardware and software components:
An MX Series 5G Universal Routing Platform with a Services DPC or an M Series Multiservice Edge router with a services PIC
A domain name server (DNS)
Junos OS Release 11.4 or higher
Overview
This example shows a complete CGN NAT44 configuration and advanced options.
Configuring NAT with Port Translation
Procedure
Step-by-Step Procedure
To configure the service set:
-
Configure a service set.
user@host# edit services service-set ss2 -
In configuration mode, go to the
[edit services nat]hierarchy level.[edit] user@host# edit services nat
-
Define the pool of source addresses that must be used for dynamic translation. For NAPT, also specify port numbers when configuring the source pool.
[edit services nat] user@host# set pool pool name address source addresses user@host# set pool pool name port source ports
For example:
[edit services nat] user@host# set pool NAPT-Pool address 192.168.2.1/24; user@host# set pool NAPT-Pool port automatic
-
Specify the NAT rule to be used.
[edit services service-set ss2]host# set nat-rules r1 - Define a NAT rule for translating the source addresses. To do this, set
the
match-directionstatement of the rule asinput. In addition, define a term that usesnapt-44as the translation type for translating the addresses of the pool defined in the previous step.[edit services nat] user@host# set rule rule name match-direction input user@host# set rule rule name term term name from source-address source-address user@host# set rule rule name term term name then translated source-pool pool name user@host# set rule rule name term term name then translated translation-type napt-44
For example:
[edit services nat] user@host# set rule r1 match-direction input user@host# set rule r1 term t1 from source-address 10.10.10.1 user@host# set rule r1 term t1 then translated source-pool NAPT-Pool user@host# set rule r1 term t1 then translated translation-type napt-44
-
Specify the interface service.
[edit services service-set ss2]host# set interface-service service-interface sp-5/0/0
Results
user@host# show services service-sets sset2
service-set ss2 {
nat-rules r1;
interface-service {
service-interface sp-5/0/0;
}
}
nat {
pool NAPT-Pool {
address 192.168.2.1/24;
port automatic;
}
rule r1 {
match-direction input;
term t1 {
from {
source-address {
10.10.10.1/32;
}
}
then {
translated {
source-pool NAPT-Pool;
translation-type {
napt-44;
}
}
}
}
}
}
Example: NAPT Configuration on the MS-MPC With an Interface Service Set
This example shows how to configure network address translation with port translation (NAPT) on an MX series router using a MultiServices Modular Port Concentrator (MS-MPC) as a services interface card.
Requirements
This example uses the following hardware and software components:
MX-series router
MultiServices Modular Port Concentrator (MS-MPC)
Junos OS Release 13.2R1 or higher
Overview
A service provider has chosen an MS-MPC as a platform to provide NAT services to accommodate new subscribers.
Configuration
To configure NAPT44 using the MS-MPC as a services interface card, perform these tasks:
- CLI Quick Configuration
- Configuring Interfaces
- Configure an Application Set of Acceptable Application Traffic
- Configuring a Stateful Firewall Rule
- Configuring NAT Pool and Rule
- Configuring the Service Set
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set interfaces ge-0/2/0 unit 0 family inet address 10.255.248.2/24 set interfaces xe-1/1/0 unit 0 family inet address 10.255.247.2/24 set interfaces xe-1/1/0 unit 0 family inet service input service-set sset1 set interfaces xe-1/1/0 unit 0 family inet service output service-set sset1 set interfaces ms-3/0/0 unit 0 family inet set applications application-set accept-algs application junos-http set applications application-set accept-algs application junos-ftp set applications application-set accept-algs application junos-tftp set applications application-set accept-algs application junos-telnet set applications application-set accept-algs application junos-sip set applications application-set accept-algs application junos-rtcp set services stateful-firewall rule sf-rule1 match-direction input-output set services stateful-firewall rule sf-rule1 term sf-term1 from source-address 10.255.247.0/24 set services stateful-firewall rule sf-rule1 term sf-term1 from application-sets accept-algs set services stateful-firewall rule sf-rule1 term sf-term1 then accept set services nat pool napt-pool address 1.1.1.0/24 set services nat pool napt-pool port automatic * nat rule for napt set services nat rule nat-rule1 match-direction input set services nat rule nat-rule1 term nat-term1 from source-address 10.255.247.0/24 set services nat rule nat-rule1 term nat-term1 from application-sets accept-algs set services nat rule nat-rule1 term nat-term1 then translated source-pool napt-pool set services nat rule nat-rule1 term nat-term1 then translated translation-type napt-44 * nat rule for basic nat set services service-set sset1 stateful-firewall-rules sf-rule1 set services service-set sset1 nat-rules nat-rule1 set services service-set sset1 interface-service service-interface ms-3/0/0
Configuring Interfaces
Step-by-Step Procedure
Configure the interfaces required for NAT processing. You will need the following interfaces:
A customer-facing interface that handles traffic from and to the customer.
An internet-facing interface.
A services interface that provides NAT and stateful firewall services to the customer-facing interface
Configure the interface for the customer-facing interface.
user@host# edit [edit ] user@host# set interfaces xe-1/1/0 unit 0 family inet address 10.255.247.2/24 user@host# set interfaces xe-1/1/0 unit 0 family inet service input service-set sset1 user@host# set interfaces xe-1/1/0 unit 0 family inet service output service-set sset1
Configure the interface for the Internet-facing interface.
[edit ] set interfaces ge-0/2/0 unit 0 family inet address 10.255.248.2/24
Configure the interface for the service set that will connect services to the customer-facing interface. In our example, the interface resides on an MS-MPC.
[edit ] user@host# set interfaces ms-3/0/0 unit 0 family inet
Configure an Application Set of Acceptable Application Traffic
Step-by-Step Procedure
Identify the acceptable applications for incoming traffic.
Specify an application set that contains acceptable incoming application traffic.
user@host# set applications application-set accept-algs application junos-http user@host# set applications application-set accept-algs application junos-ftp user@host# set applications application-set accept-algs application junos-tftp user@host# set applications application-set accept-algs application junos-telnet user@host# set applications application-set accept-algs application junos-sip user@host# set applications application-set accept-algs application junos-rtcp
Results
user@host#edit services applications application-set accept-algs user@host#show application junos-http; application junos-ftp; application junos-tftp; application junos-telnet; application junos-sip; application junos-
Configuring a Stateful Firewall Rule
Step-by-Step Procedure
Configure a stateful firewall rule that will accept all incoming traffic.
Specify firewall matching for all input and output
user@hos#t set services stateful-firewall rule sf-rule1 match-direction input-output
Identify source-address and acceptable application traffic from the customer-facing interface.
user@host# set services stateful-firewall rule sf-rule1 term sf-term1 from source-address 10.255.247.0/24 user@host# set services stateful-firewall rule sf-rule1 term sf-term1 from application-sets accept-algs user@host# set services stateful-firewall rule sf-rule1 term sf-term1 then accept
Results
user@host# edit services stateful-firewall
user@host# show
rule sf-rule1 {
match-direction input-output;
term sf-term1 {
from {
source-address {
10.255.247.0/24;
}
application-sets accept-algs;
}
then {
accept;
}
}
}Configuring NAT Pool and Rule
Step-by-Step Procedure
Configure a NAT pool and rule for address translation with automatic port assignment.
Configure the NAT pool with automatic port assignment.
user@host# set services nat pool napt-pool address 1.1.1.0/24 user@host# set services nat pool napt-pool port automatic auto
Configure a NAT rule that applies translation type
napt-44using the defined NAT pool.user@host# set services nat rule nat-rule1 term nat-term1 from application-sets accept-algs user@host# set services nat rule nat-rule1 term nat-term1 then translated source-pool napt-pool user@host# set services nat rule nat-rule1 term nat-term1 then translated translation-type napt-44
Results
user@host#edit services nat
user@host#show
pool napt-pool {
address 1.1.1.0/24;
port {
automatic;
}
}
rule nat-rule1 {
match-direction input;
term nat-term1 {
from {
source-address {
10.255.247.0/24;
}
application-sets accept-algs;
}
then {
translated {
source-pool napt-pool;
translation-type {
napt-44;
}
}
}
}
}Configuring the Service Set
Step-by-Step Procedure
Configure an interface type service set.
Specify the NAT and stateful firewall rules that apply to customer traffic.
user@host set services service-set sset1 stateful-firewall-rules sf-rule1 user@host set services service-set sset1 nat-rules bat-rule1
Specify the services interface that applies the rules to customer traffic.
set services service-set sset1 interface-service service-interface ms-3/0/0
Results
user@host# edit services service-set sset1 user@host# show set services service-set sset1 stateful-firewall-rules sf-rule1 set services service-set sset1 nat-rules nat-rule1 set services service-set sset1 interface-service service-interface ms-3/0/0
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
sequential option with
the port automatic statement at the [edit services
nat pool nat-pool-name] hierarchy level
for sequenced allocation of ports from the specified range.auto option is hidden and is deprecated,
and is only maintained for backward compatibility.sequential option is introduced to
enable you to configure sequential allocation of ports.