Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Port Forwarding

Port Forwarding Overview

You can map an external IP address and port with an IP address and port in a private network. This mapping, called port forwarding, is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICS. Starting in Junos OS Release 17.4R1, port forwarding is also supported on the MS-MPC and MS-MIC.

Port forwarding allows the destination address and port of a packet to be changed to reach the correct host in a Network Address Translation (NAT) gateway. The translation facilitates reaching a host within a masqueraded, typically private, network, based on the port number on which the packet was received from the originating host. An example of this type of destination is the host of a public HTTP server within a private network. You can also configure port forwarding without translating a destination address. Port forwarding supports endpoint-independent mapping (EIM), endpoint-independent filltering (EIF), and address pooling paired (APP).

Port forwarding works only with the FTP application-level gateway (ALG), and has no support for technologies that offer IPv6 services over IPv4 infrastructure, such as IPv6 rapid deployment (6rd) and dual-stack lite (DS-Lite). Port forwarding supports only dnat-44 and twice-napt-44 on IPv4 networks.

Benefits of Port Forwarding

  • Allows remote computers, such as public machines on the Internet, to connect to a non-standard port of a specific computer that is hidden within a private network.

Configuring Port Forwarding for Static Destination Address Translation

You can configure destination address translation with port forwarding. Port forwarding allows the destination address and port of a packet to be changed to reach the correct host in a Network Address Translation (NAT) gateway. Port forwarding is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICS. Starting in Junos OS Release 17.4R1, port forwarding is also supported on the MS-MPC and MS-MIC.

To configure destination address translation with port forwarding:

  1. In configuration mode, go to the [edit services nat] hierarchy level.
  2. Configure the NAT pool with an address.

    In the following example, dest-pool is used as the pool name and 192.0.2.2 as the address.

  3. Configure the rule, match direction, term, and destination address.

    In the following example, the name of the rule is rule-dnat44, the match direction is input, the name of the term is t1, and the address is 198.51.100.20.

  4. Configure the destination port range.

    In the following example, the upper port range is 50 and the lower port range is 20.

  5. Go to the [edit services nat rule rule-name term term-name] hierarchy level.
  6. Configure the destination pool.

    In the following example, the destination pool name is dest-pool.

  7. Specify the name of the mapping for port forwarding and configure the translation type. You can only configure one mapping within a NAT rule term.

    In the following example, the port forwarding mapping name is map1, and the translation type is dnat-44.

  8. Go to the [edit services nat port-forwarding map-name] hierarchy level.
  9. Configure the mapping for port forwarding.

    In the following example, the destination port number that needs to be translated is 23 and the port to which traffic is mapped is 45.

    Note:

    • Multiple port mappings are supported with port forwarding. Up to 32 port maps can be configured for port forwarding.

    • The destination port should not overlap the port range configured for NAT.

  10. Apply the NAT rule to the service set that performs the port mapping.
  11. Verify the configuration by using the show command at the [edit services nat] hierarchy level.
Note:

Configuring Port Forwarding Without Destination Address Translation

You can configure port forwarding without translating a destination address. Port forwarding allows the destination port to be changed to reach the correct port in a Network Address Translation (NAT) gateway. Port forwarding is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICS. Starting in Junos OS Release 17.4R1, port forwarding is also supported on the MS-MPC and MS-MIC.

To configure port forwarding without destination address translation in IPv4 networks:

  1. In configuration mode, go to the [edit services nat] hierarchy level.
  2. Configure the rule, match direction, term name, and any conditions that the traffic must match before the rule is applied.

    In the following example, the name of the rule is rule-port-forwarding, the match direction is input, the name of the term is t1, and the destination address that must be matched is 198.51.100.20.

  3. Go to the [edit services nat rule rule-name term term-name] hierarchy level.
  4. Specify that there is no address translation for this rule.
  5. Specify the name of the mapping for port forwarding. You can only configure one mapping within a NAT rule term.

    In the following example, the port forwarding mapping name is map1.

  6. Go to the [edit services nat port-forwarding map-name] hierarchy level.
  7. Configure the mapping for port forwarding.

    In the following example, the destination port number that needs to be translated is 23 and the port to which traffic is mapped is 45.

    Note:

    • Multiple port mappings are supported with port forwarding. Up to 32 port maps can be configured for port forwarding.

    • The destination port should not overlap the port range configured for NAPT.

  8. Apply the NAT rule to the service set that performs the port mapping.
    Note:

    On the MS-MPC and MS-MIC, you cannot apply port forwarding NAT rules to an AMS interface.

  9. Verify the configuration by using the show command at the [edit services] hierarchy level.
Note:

Port forwarding and stateful firewall can be configured together. Stateful firewall has precedence over port forwarding.

Example: Configuring Port Forwarding with Twice NAT

The following example configures port forwarding with twice-napt-44 as the translation type. The example also has stateful firewall and multiple port maps configured.

Port forwarding is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICS. Starting in Junos OS Release 17.4R1, port forwarding is also supported on the MS-MPC and MS-MIC.

Note:

  • Stateful firewall has precedence over port forwarding. In this example, for instance, no traffic destined to any port between 20 and 5000 will be translated.

  • Up to 32 port maps can be configured.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
17.4R1
Starting in Junos OS Release 17.4R1, port forwarding is also supported on the MS-MPC and MS-MIC.
17.4R1
Starting in Junos OS Release 17.4R1, port forwarding is also supported on the MS-MPC and MS-MIC.
17.4R1
Starting in Junos OS Release 17.4R1, port forwarding is also supported on the MS-MPC and MS-MIC.
17.4R1
Starting in Junos OS Release 17.4R1, port forwarding is also supported on the MS-MPC and MS-MIC.