- play_arrow Overview
- play_arrow Next Gen Services Overview
- play_arrow Configuration Overview
- Configuration Differences Between Adaptive Services and Next Gen Services on the MX-SPC3
- Next Gen Services Feature Configuration Overview
- How to Configure Services Interfaces for Next Gen Services
- How to Configure Interface-Style Service Sets for Next Gen Services
- How to Configure Next-Hop Style Service Sets for Next Gen Services
- How to Configure Service Set Limits for Next Gen Services
- Example: Next Gen Services Inter-Chassis Stateful High Availability for NAT and Stateful Firewall (MX-SPC3)
- Example: Configuring AutoVPN with Pre-Shared Key
- Enabling and Disabling Next Gen Services
- play_arrow Global System Logging Overview and Configuration
- Understanding Next Gen Services CGNAT Global System Logging
- Enabling Global System Logging for Next Gen Services
- Configuring Local System Logging for Next Gen Services
- Configuring System Logging to One or More Remote Servers for Next Gen Services
- System Log Error Messages for Next Gen Services
- Configuring Syslog Events for NAT Rule Conditions with Next Gen Services
- play_arrow Next Gen Services SNMP MIBS and Traps
-
- play_arrow Stateful Firewall Services
- play_arrow Stateful Firewall Services Overview and Configuration
-
- play_arrow Intrusion Detection Services
- play_arrow IDS Screens for Network Attack Protection Overview and Configuration
-
- play_arrow Traffic Load Balancing
- play_arrow Traffic Load Balancing Overview and Configuration
-
- play_arrow DNS Request Filtering
- play_arrow DNS Request Filtering Overview and Configuration
-
- play_arrow URL Filtering
- play_arrow URL Filtering
-
- play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
- play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
-
- play_arrow Aggregated Multiservices Interfaces
- play_arrow Enabling Load Balancing and High Availability Using Multiservices Interfaces
-
- play_arrow Inter-Chassis Services PIC High Availability
- play_arrow Inter-Chassis Services PIC High Availability Overview and Configuration
- Next Gen Services Inter-chassis High Availability Overview for NAT, Stateful Firewall, and IDS Flows
- Inter-Chassis Stateful Synchronization for Long Lived NAT, Stateful Firewall, and IDS Flows for Next Gen Services
- Inter-Chassis Services Redundancy Overview for Next Gen Services
- Configuring Inter-Chassis Services Redundancy for Next Gen Services
-
- play_arrow Application Layer Gateways
- play_arrow Enabling Traffic to Pass Securely Using Application Layer Gateways
-
- play_arrow NAT, Stateful Firewall, and IDS Flows
- play_arrow Inline NAT Services Overview and Configuration
-
- play_arrow Configuration Statements
Address Pooling and Endpoint Independent Mapping for Port Translation
Address Pooling
Address pooling, or address pooling paired (APP) ensures assignment of the same external IP address for all sessions originating from the same internal host. You can use this feature when assigning external IP addresses from a pool. This option does not affect port utilization.
Address pooling solves the problems of an application opening multiple connections. For example, when Session Initiation Protocol (SIP) client sends Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) packets, the SIP generally server requires that they come from the same IP address, even if they have been subject to NAT. If RTP and RTCP IP addresses are different, the receiving endpoint might drop packets. Any point-to-point (P2P) protocol that negotiates ports (assuming address stability) benefits from address pooling paired.
The following are use cases for address pooling:
A site that offers instant messaging services requires that chat and their control sessions come from the same public source address. When the user signs on to chat, a control session authenticates the user. A different session begins when the user starts a chat session. If the chat session originates from a source address that is different from the authentication session, the instant messaging server rejects the chat session, because it originates from an unauthorized address.
Certain websites such as online banking sites require that all connections from a given host come from the same IP address.
When you deactivate a service set that contains address pooling paired (APP) for that service set, messages are displayed on the PIC console and the mappings are cleared for that service set. These messages are triggered when the deletion of a service-set commences and again generated when the deletion of the service set is completed. The following sample messages are displayed when deletion starts and ends:
Nov 15 08:33:13.974 LOG: Critical] SVC-SET ss1 (iid 5) deactivate/delete: NAT Mappings and flows deletion initiated
Nov 15 08:33:14.674 LOG: Critical] SVC-SET ss1 (iid 5) deactivate/delete: NAT Mappings and flows deletion completed
In a scaled environment that contains a large number of APP in a service set, a heavy volume of messages is generated and this process takes some amount of time. We recommend that you wait until the console messages indicating the completion of deletion of the service set are completed before you reactivate the service-set again.
Endpoint Independent Mapping and Endpoint Independent Filtering
Endpoint independent mapping (EIM) ensures the assignment of the same external address and port for all connections from a given host if they use the same internal port. This means if they come from a different source port, you are free to assign a different external address.
EIM and APP differ as follows:
APP ensures assigning the same external IP address.
EIM provides a stable external IP address and port (for a period of time) to which external hosts can connect. Endpoint independent filtering (EIF) controls which external hosts can connect to an internal host.
When you deactivate a service set that contains endpoint independent mapping (EIM) mapping for that service set, messages are displayed on the PIC console and the mappings are cleared for that service set. These messages are triggered when the deletion of a service set commences and again generated when the deletion of the service set is completed. The following sample messages are displayed when deletion starts and ends:
Nov 15 08:33:13.974 LOG: Critical] SVC-SET ss1 (iid 5) deactivate/delete: NAT Mappings and flows deletion initiated
Nov 15 08:33:14.674 LOG: Critical] SVC-SET ss1 (iid 5) deactivate/delete: NAT Mappings and flows deletion completed
In a scaled environment that contains a large number of EIM mappings in a service set, a heavy volume of messages is generated and this process takes some amount of time. We recommend that you wait until the console messages indicating the completion of deletion of the service set are completed before you reactivate the service-set again.