close

keyboard_arrow_left

Table of Contents Expand all

play_arrow Overview
- play_arrow Services Overview
  - Adaptive Services and Multiservices Interfaces Overview
  - Packet Flow Through the Adaptive Services or Multiservices PIC
- play_arrow Services Configuration Overview
play_arrow Network Address Translation
- play_arrow NAT Overview
- play_arrow Stateful NAT64
  - Stateful NAT64
- play_arrow Static Source NAT
  - Static Source NAT
- play_arrow Static Destination NAT
  - Static Destination NAT
- play_arrow Network Address Port Translation
  - Network Address Port Translation
- play_arrow Deterministic NAT
  - Deterministic NAT
- play_arrow NAT Protocol Translation
  - NAT Protocol Translation
  - Example: Configuring the DNS ALG Application on MX-SPC3 service card
- play_arrow IPv4 Connectivity Across IPv6-Only Network Using 464XLAT
  - IPv4 Connectivity Across IPv6-Only Network Using 464XLAT
- play_arrow Port Control Protocol
  - Port Control Protocol
- play_arrow Secured Port Block Allocation
  - Secured Port Block Allocation
  - Secured Port Block Allocation Interim Logging
- play_arrow Port Forwarding
  - Port Forwarding
- play_arrow Dynamic Address-Only Source Translation
  - Dynamic Address-Only Source Translation
- play_arrow Inline NAT
  - Inline NAT
- play_arrow Stateless Source Network Prefix Translation for IPv6
  - Stateless Source Network Prefix Translation for IPv6
- play_arrow Monitoring NAT
  - Monitoring NAT
- play_arrow Packet Translation and GRE Tunneling
  - Packet Translation and GRE Tunneling
play_arrow Transitioning to IPv6 Using MAP-E and MAP-T
- play_arrow Transitioning to IPv6 Using MAP-E and MAP-T
  - Mapping of Address and Port with Encapsulation (MAP-E)
  - Equal Cost Multiple Path (ECMP) support for Mapping of Address and Port with Encapsulation (MAP-E)
- Mapping of Address and Port with Translation (MAP-T)
play_arrow Transition to IPv6 With Softwires
- play_arrow Transition to IPv6 With 6to4 Softwires
  - Softwires Configuration Overview
  - 6to4 Softwires
- play_arrow Transition to IPv6 With DS-Lite Softwires
  - DS-Lite Softwires
- play_arrow Transition to IPv6 With 6rd Softwires
  - Configuring a 6rd Softwire
- play_arrow Transition to IPv6 With Inline Softwires
  - Inline 6rd and 6to4 Softwires
- play_arrow Monitoring and Troubleshooting Softwires
  - Monitoring and Troubleshooting Softwires
play_arrow ALGs
- play_arrow ALGs
  - ALG Overview
  - ALG Applications
play_arrow Access Security
- play_arrow Stateful Firewalls
  - Stateful Firewalls
  - Monitoring Stateful Firewalls
- play_arrow IDS on MS-DPC
  - IDS on MS-DPC
- play_arrow Network Attack Protection on MS-MPC and MS-MIC
  - Network Attack Protection on MS-MPC and MS-MIC
play_arrow IPsec Tunnels
- play_arrow IPsec Overview
  - IPsec Overview
- play_arrow Inline IPsec
  - Inline IPsec
- play_arrow IPsec Tunnels With Static Endpoints
- play_arrow IPsec Tunnels With Dynamic Endpoints
  - IPsec Tunnels With Dynamic Endpoints
- - Inline IPsec
play_arrow CoS on Services Cards
- play_arrow CoS on Services Cards
  - Class of Service on Services Interfaces
- play_arrow Class of Service on Link Services Interfaces
  - Class of Service on Link Services Interfaces
play_arrow Inter-Chassis Redundancy for NAT and Stateful Firewall Flows
- play_arrow Configuring Inter-Chassis MS-MPC and MS-MIC for NAT and Stateful Firewall (Release 16.1 and later)
  - Inter-Chassis Stateful Synchronization for Long Lived NAT and Stateful Firewall Flows (MS-MPC, MS-MIC) (Release 16.1 and later)
  - Service Redundancy Daemon
- play_arrow Configuring Inter-Chassis Stateful Synchronization for NAT and Stateful Firewall (Release 15.1 and earlier)
  - Inter-Chassis High Availability for MS-MIC and MS-MPC (Release 15.1 and earlier)
play_arrow Multilinks
- play_arrow Link Services Interface Redundancy
  - Link Services Interface Redundancy
- play_arrow Link Bundling
  - Inline Multlink Services
play_arrow Traffic Load Balancer
- play_arrow Traffic Load Balancer
  - Traffic Load Balancer
play_arrow Services Card Redundancy
- play_arrow Services Card Redundancy for MS-MPC and MS-MIC
  - Load Balancing and High Availability With Aggregated Multiservices Interfaces on MS-MPC and MS-MIC
- play_arrow Services Card Redundancy for Multiservices PIC
  - Configuring AS or Multiservices PIC Redundancy
play_arrow Voice Services
- play_arrow Voice Services
  - Voice Services
play_arrow Layer 2 PPP Tunnels
- play_arrow Layer 2 Tunneling of PPP Packets
  - Layer 2 Tunneling of PPP Packets
play_arrow URL Filtering
- play_arrow URL Filtering
  - URL Filtering
play_arrow Configuration Statements and Operational Commands
- [OBSOLETE] unidirectional-session-refreshing
- Junos CLI Reference Overview

list Table of Contents

English

Port Forwarding

date_range 26-Jan-21

arrow_backward

arrow_forward

Port Forwarding Overview

You can map an external IP address and port with an IP address and port in a private network. This mapping, called port forwarding, is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICS. Starting in Junos OS Release 17.4R1, port forwarding is also supported on the MS-MPC and MS-MIC.

Port forwarding allows the destination address and port of a packet to be changed to reach the correct host in a Network Address Translation (NAT) gateway. The translation facilitates reaching a host within a masqueraded, typically private, network, based on the port number on which the packet was received from the originating host. An example of this type of destination is the host of a public HTTP server within a private network. You can also configure port forwarding without translating a destination address. Port forwarding supports endpoint-independent mapping (EIM), endpoint-independent filltering (EIF), and address pooling paired (APP).

Port forwarding works only with the FTP application-level gateway (ALG), and has no support for technologies that offer IPv6 services over IPv4 infrastructure, such as IPv6 rapid deployment (6rd) and dual-stack lite (DS-Lite). Port forwarding supports only dnat-44 and twice-napt-44 on IPv4 networks.

Benefits of Port Forwarding

Allows remote computers, such as public machines on the Internet, to connect to a non-standard port of a specific computer that is hidden within a private network.

Configuring Port Forwarding for Static Destination Address Translation

You can configure destination address translation with port forwarding. Port forwarding allows the destination address and port of a packet to be changed to reach the correct host in a Network Address Translation (NAT) gateway. Port forwarding is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICS. Starting in Junos OS Release 17.4R1, port forwarding is also supported on the MS-MPC and MS-MIC.

To configure destination address translation with port forwarding:

In configuration mode, go to the [edit services nat] hierarchy level.
```
[edit]
user@host# edit services nat
```
Configure the NAT pool with an address.
```
 [edit services nat]
user@host# set pool pool-name address address
```
In the following example, dest-pool is used as the pool name and 192.0.2.2 as the address.
```
user@host# set pool dest-pool address 192.0.2.2
```

Configure the rule, match direction, term, and destination address.

content_copy zoom_out_map
[edit services nat]
user@host# set rule rule-name match-direction match-direction term term-name from destination-address  address 

In the following example, the name of the rule is rule-dnat44, the match direction is input, the name of the term is t1, and the address is 198.51.100.20.

content_copy zoom_out_map
[edit services nat]
user@host# set rule rule-dnat44 match-direction  input term t1 from destination-address 198.51.100.20 

Configure the destination port range.

content_copy zoom_out_map
[edit services nat]
user@host# set rule rule-name match-direction match-direction term term-name from destination-port range high maximum-value low minimum-value

In the following example, the upper port range is 50 and the lower port range is 20.

content_copy zoom_out_map
[edit services nat]
user@host# set rule rule-dnat44 match-direction  input term t1 from destination-port range high 50 low 20 

Go to the [edit services nat rule rule-name term term-name] hierarchy level.
```
[edit services nat]
user@host# edit rule rule-name term term-name
```

Configure the destination pool.

content_copy zoom_out_map
[edit services nat rule rule-name term term-name]
user@host# set then translated destination-pool dest-pool-name 

In the following example, the destination pool name is dest-pool.

content_copy zoom_out_map
[edit services nat rule rule-dnat44 term t1]
user@host# set then translated destination-pool  dest-pool 

Specify the name of the mapping for port forwarding and configure the translation type. You can only configure one mapping within a NAT rule term.

content_copy zoom_out_map
[edit services nat rule rule-name term term-name]
user@host# set then port-forwarding-mappings  map-name
user@host# set then translated translation-type translation-type

In the following example, the port forwarding mapping name is map1, and the translation type is dnat-44.

content_copy zoom_out_map
[edit services nat rule rule-dnat44 term t1]
user@host# set then port-forwarding-mappings  map1
user@host# set then translated translation-type dnat-44 

Go to the [edit services nat port-forwarding map-name] hierarchy level.
```
[edit services nat]
user@host# edit port-forwarding map-name 
```
Configure the mapping for port forwarding.
```
[edit port-forwarding map-name]
user@host# set destined-port port-id
user@host# set translated-port port-id
```
In the following example, the destination port number that needs to be translated is 23 and the port to which traffic is mapped is 45.
```
[edit port-forwarding map1]
user@host# set destined-port 23
user@host# set translated-port 45
```
Note:
Multiple port mappings are supported with port forwarding. Up to 32 port maps can be configured for port forwarding.

The destination port should not overlap the port range configured for NAT.
Apply the NAT rule to the service set that performs the port mapping.
```
[edit services service-set service-set-name]
user@host# set nat-rules rule-name
```

Verify the configuration by using the show command at the [edit services nat] hierarchy level.

content_copy zoom_out_map
[edit services]
user@host# show 
nat {
	pool dest-pool {
	    address 192.0.2.2/32;
	}
	rule rule-dnat44 {
	    match-direction input;
	    term t1
          from {
             destination-address {
		           198.51.100.20/32
             }
             destination-port {
		           range low 20 high 50;
		       }
		}
          then {
             port-forwarding-mappings map1;
             translated {
                  destination-pool dest-pool;
                  translation-type {
                     dnat-44;
		        			 }
		    			}
				 }
	   }
	}
	port-forwarding map1 {
       destined-port 45;
       translated-port 23;
	    }
}
service-set ss1 {
     nat-rules rule-dnat44;
     interface-service {
        service-interface sp-10/0/0.0;
        }
     }

Note:

A similar configuration is possible with twice NAT for IPv4. See Example: Configuring Port Forwarding with Twice NAT.
Port forwarding and stateful firewall can be configured together. Stateful firewall has precedence over port forwarding.

Configuring Port Forwarding Without Destination Address Translation

You can configure port forwarding without translating a destination address. Port forwarding allows the destination port to be changed to reach the correct port in a Network Address Translation (NAT) gateway. Port forwarding is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICS. Starting in Junos OS Release 17.4R1, port forwarding is also supported on the MS-MPC and MS-MIC.

To configure port forwarding without destination address translation in IPv4 networks:

In configuration mode, go to the [edit services nat] hierarchy level.
```
[edit]
user@host# edit services nat
```
Configure the rule, match direction, term name, and any conditions that the traffic must match before the rule is applied.
```
[edit services nat]
user@host# set rule rule-name match-direction match-direction term term-name from match-conditions 
```
In the following example, the name of the rule is rule-port-forwarding, the match direction is input, the name of the term is t1, and the destination address that must be matched is 198.51.100.20.
```
[edit services nat]
user@host# set rule rule-port-forwarding match-direction  input term t1 from destination-address 198.51.100.20 
```
Go to the [edit services nat rule rule-name term term-name] hierarchy level.
```
[edit services nat]
user@host# edit rule  rule-name term term-name
```

Specify that there is no address translation for this rule.

content_copy zoom_out_map
[edit services nat rule rule-name term term-name]
user@host# set then no-translation

Specify the name of the mapping for port forwarding. You can only configure one mapping within a NAT rule term.
```
[edit services nat rule rule-name term term-name]
user@host# set then port-forwarding-mappings map-name 
```
In the following example, the port forwarding mapping name is map1.
```
[edit services nat rule rule-port-forwarding term t1]
user@host# set then port-forwarding-mappings  map1 
```
Go to the [edit services nat port-forwarding map-name] hierarchy level.
```
[edit services nat]
user@host# edit port-forwarding map-name 
```
Configure the mapping for port forwarding.
```
[edit port-forwarding map-name]
user@host# set destined-port port-id
user@host# set translated-port port-id
```
In the following example, the destination port number that needs to be translated is 23 and the port to which traffic is mapped is 45.
```
[edit port-forwarding map1]
user@host# set destined-port 23
user@host# set translated-port 45
```
Note:
Multiple port mappings are supported with port forwarding. Up to 32 port maps can be configured for port forwarding.

The destination port should not overlap the port range configured for NAPT.
Apply the NAT rule to the service set that performs the port mapping.
```
[edit services service-set service-set-name]
user@host# set nat-rules rule-name
```
Note:
On the MS-MPC and MS-MIC, you cannot apply port forwarding NAT rules to an AMS interface.

Verify the configuration by using the show command at the [edit services] hierarchy level.

content_copy zoom_out_map
[edit services]
user@host# show 
nat {
	rule rule-port-forwarding {
	    match-direction input;
	    term t1 {
		    then {
		       port-forwarding-mappings map1;
			 		   no-translation 		    			}
					}
	   	}
	}
	port-forwarding map1 {
	    destined-port 45;
       translated-port 23;
	    }
}
service-set ss2 {
     nat-rules rule-port-forwarding;
     interface-service {
        service-interface sp-10/0/0.0;
        }
     }

Note:

Port forwarding and stateful firewall can be configured together. Stateful firewall has precedence over port forwarding.

Example: Configuring Port Forwarding with Twice NAT

The following example configures port forwarding with twice-napt-44 as the translation type. The example also has stateful firewall and multiple port maps configured.

Port forwarding is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICS. Starting in Junos OS Release 17.4R1, port forwarding is also supported on the MS-MPC and MS-MIC.

content_copy zoom_out_map
[edit services]
user@host# show 
service-set in {
    syslog {
        host local {
            services any;
        }
    }
    stateful-firewall-rules r;
    nat-rules r;
    interface-service {
        service-interface sp-10/0/0.0;
    }
}
stateful-firewall {
    rule r {
        match-direction input;
        term t {
            from {
                destination-port {
                    range low 20 high 5000;
                }
            }
            then {
                reject;
            }
        }
    }
}
nat {
    pool x {
        address 203.0.113.2/32;
    }
    rule r {
        match-direction input;
        term t {
            from {
                destination-address {
                    198.51.100.2/32;
                }
                destination-port {
                    range low 10 high 20000;
                }
            }
            then {
                port-forwarding-mappings y;
                translated {
                   destination-pool x;
                   translation-type {
                      twice-napt-44;
                    }
                }
            }
        }
    }
    port-forwarding y {
        destined-port 45;
        translated-port 23;
        destined-port 55;
        translated-port 33;
        destined-port 65;
        translated-port 43;
		 }
}
adaptive-services-pics {
    traceoptions {
        file sp-trace;
        flag all;
    }
}

Note:

Stateful firewall has precedence over port forwarding. In this example, for instance, no traffic destined to any port between 20 and 5000 will be translated.
Up to 32 port maps can be configured.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release

Description

17.4R1

Starting in Junos OS Release 17.4R1, port forwarding is also supported on the MS-MPC and MS-MIC.

17.4R1

Starting in Junos OS Release 17.4R1, port forwarding is also supported on the MS-MPC and MS-MIC.

17.4R1

Starting in Junos OS Release 17.4R1, port forwarding is also supported on the MS-MPC and MS-MIC.

17.4R1

Starting in Junos OS Release 17.4R1, port forwarding is also supported on the MS-MPC and MS-MIC.

arrow_backward PREVIOUS Secured Port Block Allocation Interim Logging

NEXT arrow_forward Dynamic Address-Only Source Translation

Adaptive Services Interfaces User Guide for Routing Devices

ON THIS PAGE

Port Forwarding

Port Forwarding Overview

Benefits of Port Forwarding

Configuring Port Forwarding for Static Destination Address Translation

Configuring Port Forwarding Without Destination Address Translation

Example: Configuring Port Forwarding with Twice NAT

Change History Table

Stay in touch

Helped me install or use the product
Accelerated my deployment

Discuss the product with a co-worker
Make a purchase inquiry