Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
external-header-nav
keyboard_arrow_up
close
keyboard_arrow_left
Network Address Translation User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Source NAT

date_range 17-Dec-24

Source NAT is most commonly used for translating private IP address to a public routable address to communicate with the host. Source NAT changes the source address of the packets that pass through the Router. A NAT pool is a set of addresses that are designed as a replacement for client IP addresses. For more information, see the following topics:

Understanding Source NAT

Source NAT is the translation of the source IP address of a packet leaving the Juniper Networks device. Source NAT is used to allow hosts with private IP addresses to access a public network.

Source NAT allows connections to be initiated only for outgoing network connections—for example, from a private network to the Internet. Source NAT is commonly used to perform the following translations:

  • Translate a single IP address to another address (for example, to provide a single device in a private network with access to the Internet).

  • Translate a contiguous block of addresses to another block of addresses of the same size.

  • Translate a contiguous block of addresses to another block of addresses of smaller size.

  • Translate a contiguous block of addresses to a single IP address or a smaller block of addresses using port translation.

  • Translate a contiguous block of addresses to the address of the egress interface.

Translation to the address of the egress interface does not require an address pool; all other source NAT translations require configuration of an address pool. One-to-one and many-to-many translations for address blocks of the same size do not require port translation because there is an available address in the pool for every address that would be translated.

If the size of the address pool is smaller than the number of addresses that would be translated, either the total number of concurrent addresses that can be translated is limited by the size of the address pool or port translation must be used. For example, if a block of 253 addresses is translated to an address pool of 10 addresses, a maximum of 10 devices can be connected concurrently unless port translation is used.

The following types of source NAT are supported:

  • Translation of the original source IP address to the egress interface’s IP address (also called interface NAT). Port address translation is always performed.

  • Translation of the original source IP address to an IP address from a user-defined address pool without port address translation. The association between the original source IP address to the translated source IP address is dynamic. However, once there is an association, the same association is used for the same original source IP address for new traffic that matches the same NAT rule.

  • Translation of the original source IP address to an IP address from a user-defined address pool with port address translation. The association between the original source IP address to the translated source IP address is dynamic. Even if an association exists, the same original source IP address may be translated to a different address for new traffic that matches the same NAT rule.

  • Translation of the original source IP address to an IP address from a user-defined address pool by shifting the IP addresses. This type of translation is one-to-one, static, and without port address translation. If the original source IP address range is larger than the IP address range in the user-defined pool, untranslated packets are dropped.

On the MX Series device, if you use the Source NAT on an aggregated multiservices (AMS) interface. The service set command creates a separate entry for each AMS interface. Hence, the memory utilization exhausts and if you configure an additional AMS interface results in configuration commit error.

Understanding Central Point Architecture Enhancements for NAT

System session capacity and session ramp-up rate are limited by central point memory capacity and CPU capacity. Starting in Junos OS Release 15.1X49-D30 and Junos OS Release 17.3R1, the central point architecture for NAT has been enhanced to handle higher system session capacity and session ramp-up rate for the SRX5000 line. Hence, the workload on the central point is reduced to increase the session capacity and to support more sessions to achieve higher connections per second (CPS).Starting in Junos OS Release 17.4R1, source NAT resources handled by the central point architecture have been offloaded to the SPUs when the SPC number is more than four, resulting in more efficient resource allocation. The following list describes the enhancements to NAT to improve performance:

  • The central point architecture no longer supports central point sessions. Therefore, NAT needs to maintain a NAT tracker to track the IP address or port allocation and usage. NAT tracker is a global array for SPU session ID to NAT IP or port mapping that is used to manage NAT resources.

  • By default, a NAT rule alarm and trap statistics counter update message is sent from the Services Processing Unit (SPU) to the central point at intervals of 1 second instead of updating the statistics based on each session trigger in the central point system.

  • To support a specific NAT IP address or port allocated such that the 5-tuple hash after NAT is the same as the original 5-tuple hash before NAT, select a NAT port that results in the same hash as the original hash by the specific calculation. Hence, the forwarding session is reduced. When NAT is used, the reverse wing is hashed to a different SPU. A forward session has to be installed to forward reverse traffic to a session SPU. NAT tries to select a port that can be used by the hash algorithm to make the reverse wing be hashed to the same SPU as the initial wing. So, both NAT performance and throughput are improved with this approach.

  • To improve NAT performance, IP shifting pool (non-PAT pool) management is moved from the central point to the SPU so that all local NAT resources for that pool are managed locally instead of sending the NAT request to the central point. Hence, IP address-shifting NAT pool connections per second and throughput are improved.

Port Overflow Burst Mode

The port overflow burst mode allows you to use the ports beyond the allocated port blocks. You can configure a burst pool with a range of ports in an IP address to be reserved for bursting.

There are primary and burst pool types, the device uses the burst pool once the subscribers reach the limit configured in the primary pool.

Brust mode is supported on:

  1. Deterministic NAT source NAT pool with PBA type burst pool.

  2. Deterministic NAT source NAT pool with dynamic Network Address Port Translation (NAPT) type burst pool.

  3. Regular PBA source NAT pool with PBA type burst pool.

  4. Regular PBA source NAT pool with dynamic NAPT type burst pool.

Table 1: Burst Mode Operations

NAT Type

Before the Configured Port Block Limit not Exceed

After the Configured Port Block Limit not Exceed

Deterministic NAT source NAT pool with PBA type burst pool

Port blocks from the primary DetNAT pool are used.

Port block from the burst pool configured in PBA.

Deterministic NAT source NAT pool with dynamic Network Address Port Translation (NAPT) type burst pool

Port blocks from the primary DetNAT pool are used.

Port block from the burst pool configured in dynamic NAPT.

Regular PBA source NAT pool with PBA type burst pool

Port blocks from the primary PBA pool are used.

Port block from the burst pool configured in PBA.

Regular PBA source NAT pool with dynamic NAPT type burst pool

Port blocks from the primary PBA pool are used.

Port block from the burst pool configured in dynamic NAPT.

PBA Burst Type Method—PBA supports APP and non-APP mode of operations.

  • APP Mode—Ports are allocated from the primary pool. When then subscriber limit exceeds from primary pool, if there are any available ports for the same IP address from the burst pool, then new sessions are created.

  • non-APP Mode—Ports are allocated from the primary pool. When subscriber limit exceeds from primary pool, new sessions are created from the burst pool with any available IP address and port.

DetNAT Burst Type Method—Ports are allocated from the primary pool. If the same IP address from the burst pool or all the available ports are not available from same IP address, then new session are created with another IP address. If the burst pool is configured with a different IP from primary pool, uses another IP from the burst pool.

Optimizing Source NAT Performance

Source NAT can be optimized based on functionality and performance needs.

Port Randomization Mode (Default)

For pool-based source NAT and interface NAT, port randomization mode is enabled and used by default.

In this mode, the device selects IP addresses on a round-robin basis, and the port selection is random. That is, when the device performs NAT translation it first chooses the IP address by round robin, then chooses the port used for that IP address by randomization.

Although randomized port number allocation can provide protection from security threats such as DNS poison attacks, it can also affect performance and memory usage due to the computations and NAT table resources involved.

Round-Robin Mode

A less resource-intensive NAT translation method involves using only the round-robin allocation method. Whereas randomization requires computational work for each assigned port, the round robin method simply selects ports sequentially.

In this mode, the device selects both IP addresses and ports on a round-robin basis. That is, when the device performs NAT translation it first chooses the IP address by round robin, then chooses the port used for that IP address by round robin.

For example, if the source pool contains only one IP address:

  • When the first packet of a flow arrives (creating a session), it is translated to IP1, port N. Subsequent packets in that flow are allocated to the same IP/port.

  • When the first packet of a new flow arrives, it is translated to IP1, port N+1, and so on.

If the source pool contains two IP addresses:

  • When the first packet of a flow arrives (creating a session), it is translated to IP1, port X. Subsequent packets in that flow are allocated to the same IP/port.

  • When the first packet of a second flow arrives, it is translated to IP2, port X.

  • When the first packet of a third flow arrives, it is translated to IP1, port X+1.

  • With the first packets of a fourth flow arrives, it is translated to IP2, port X+1, and so on.

Configuration

Round-robin mode is enabled by default, however port randomization mode (also enabled) has higher priority. To use round-robin mode, disable the higher-priority port randomization mode, as follows:

content_copy zoom_out_map
user@host# set security nat source port-randomization disable

To disable round-robin mode (and re-enable port randomization), delete the configuration statement, as follows:

content_copy zoom_out_map
user@host# delete security nat source port-randomization disable

Session Affinity Mode

Starting in Junos OS Release 15.1X49-D30 and Junos OS Release 17.3R1, you can further improve NAT performance and throughput on SRX5000 line devices using “session affinity” mode.

With the modes noted above, a given session is processed by the inbound SPU based on a 5-tuple (source IP, dest IP, source port, dest port, protocol) hash. When NAT is involved, the 5-tuple hash will be different for the outbound part of the session vs. the return part of the session. Therefore, the outbound NAT session information may be located in one SPU, while the return (reverse) NAT session information may be located in another SPU. The goal of session affinity mode is to maintain the forwarding session information for both the outbound and return traffic on the same SPU.

In this mode, the device uses a “reverse NAT enhancement” translation algorithm for IP and port selection, to improve performance for NAT sessions and throughput. The NAT module attempts to select an IP address and port that can be used with the hash algorithm to ensure the selected SPU for the outbound and return flow elements can be identical.

Configuration

Session affinity mode is enabled by default, however both port randomization and round-robin modes (also enabled) have higher priority. To use session affinity mode, disable both port randomization and round-robin modes, as follows:

content_copy zoom_out_map
user@host# set security nat source port-randomization disable
user@host# set security nat source port-round-robin disable

To disable session affinity mode, and re-enable either round-robin or port randomization mode, delete one or both of the configuration statements, as follows:

content_copy zoom_out_map
user@host# delete security nat source port-round-robin disable
user@host# delete security nat source port-randomization disable

Usage Notes

Notes and guidelines for session affinity mode include:

  • Use large NAT port pools whenever possible (see Security Considerations below)

  • The algorithm chooses a port from within the configured port range. If no port is available, the NAT port will be allocated based on random selection.

  • Static NAT and destination NAT cannot use affinity mode.

Security Considerations

Although session affinity improves performance by consolidating forwarding sessions, it decreases security to some degree since the algorithm selects the IP address and port based on a pre-defined algorithm with specific parameters, instead of pure randomization. That said, the fact there are typically multiple eligible ports for the algorithm to choose from and so there is still some degree of randomization.

The best way to mitigate the security risk is to ensure the source port number used is less predictable. That is, the larger the NAT pool resource range from which ephemeral ports are selected, the smaller the chances of an attacker guessing the selected port number. Given this, it is recommended to configure large NAT port pools whenever possible.

Monitoring Source NAT Information

Purpose

Display configured information about source Network Address Translation (NAT) rules, pools, persistent NAT, and paired addresses.

Action

Select Monitor>NAT>Source NAT in the J-Web user interface, or enter the following CLI commands:

  • show security nat source summary

  • show security nat source pool pool-name

  • show security nat source persistent-nat-table

  • show security nat source paired-address

Table 2 describes the available options for monitoring source NAT.

Table 2: Source NAT Monitoring Page

Field

Description

Action

Rules

Rule-set Name

Name of the rule set.

Select all rule sets or a specific rule set to display from the list.

Total rules

Number of rules configured.

ID

Rule ID number.

Name

Name of the rule .

From

Name of the routing instance/zone/interface from which the packet flows.

To

Name of the routing instance/zone/interface to which the packet flows.

Source address range

Source IP address range in the source pool.

Destination address range

Destination IP address range in the source pool.

Source ports

Source port numbers.

Ip protocol

IP protocol.

Action

Action taken for a packet that matches a rule.

Persistent NAT type

Persistent NAT type.

Inactivity timeout

Inactivity timeout interval for the persistent NAT binding.

Alarm threshold

Utilization alarm threshold.

Max session number

The maximum number of sessions.

Sessions (Succ/Failed/Current)

Successful, failed, and current sessions.

  • Succ–Number of successful session installations after the NAT rule is matched.

  • Failed–Number of unsuccessful session installations after the NAT rule is matched.

  • Current–Number of sessions that reference the specified rule.

Translation Hits

Number of times a translation in the translation table is used for a source NAT rule.

Pools

Pool Name

The names of the pools.

Select all pools or a specific pool to display from the list.

Total Pools

Total pools added.

ID

ID of the pool.

Name

Name of the source pool.

Address range

IP address range in the source pool.

Single/Twin ports

Number of allocated single and twin ports.

Port

Source port number in the pool.

Address assignment

Displays the type of address assignment.

Alarm threshold

Utilization alarm threshold.

Port overloading factor

Port overloading capacity.

Routing instance

Name of the routing instance.

Total addresses

Total IP address, IP address set, or address book entry.

Host address base

Host base address of the original source IP address range.

Translation hits

Number of times a translation in the translation table is used for source NAT.

Top 10 Translation Hits

Graph

Displays the graph of top 10 translation hits.

Persistent NAT
Persistent NAT table statistics

binding total

Displays the total number of persistent NAT bindings for the FPC.

binding in use

Number of persistent NAT bindings that are in use for the FPC.

enode total

Total number of persistent NAT enodes for the FPC.

enode in use

Number of persistent NAT enodes that are in use for the FPC.

Persistent NAT table

Source NAT pool

Name of the pool.

Select all pools or a specific pool to display from the list.

Internal IP

Internal IP address.

Select all IP addresses or a specific IP address to display from the list.

Internal port

Displays the internal ports configured in the system.

Select the port to display from the list.

Internal protocol

Internal protocols .

Select all protocols or a specific protocol to display from the list.

Internal IP

Internal transport IP address of the outgoing session from internal to external.

Internal port

Internal transport port number of the outgoing session from internal to external.

Internal protocol

Internal protocol of the outgoing session from internal to external.

Reflective IP

Translated IP address of the source IP address.

Reflective port

Displays the translated number of the port.

Reflective protocol

Translated protocol.

Source NAT pool

Name of the source NAT pool where persistent NAT is used.

Type

Persistent NAT type.

Left time/Conf time

Inactivity timeout period that remains and the configured timeout value.

Current session num/Max session num

Number of current sessions associated with the persistent NAT binding and the maximum number of sessions.

Source NAT rule

Name of the source NAT rule to which this persistent NAT binding applies.

External node table

Internal IP

Internal transport IP address of the outgoing session from internal to external.

Internal port

Internal port number of the outgoing session from internal to external.

External IP

External IP address of the outgoing session from internal to external.

External port

External port of the outgoing session from internal to external.

Zone

External zone of the outgoing session from internal to external.

Paired Address

Pool name

Name of the pool.

Select all pools or a specific pool to display from the list.

Specified Address

IP address.

Select all addresses, or select the internal or external IP address to display, and enter the IP address.

Pool name

Displays the selected pool or pools.

Internal address

Displays the internal IP address.

External address

Displays the external IP address.

Resource Usage
Utilization for all source pools

Pool name

Name of the pool.

To view additional usage information for Port Address Translation (PAT) pools, select a pool name. The information displays under Detail Port Utilization for Specified Pool.

Pool type

Pool type: PAT or Non-PAT.

Port overloading factor

Port overloading capacity for PAT pools.

Address

Addresses in the pool.

Used

Number of used resources in the pool.

For Non-PAT pools, the number of used IP addresses is displayed.

For PAT pools, the number of used ports is displayed.

Available

Number of available resources in the pool.

For Non-PAT pools, the number of available IP addresses is displayed.

For PAT pools, the number of available ports is displayed.

Total

Number of used and available resources in the pool.

For Non-PAT pools, the total number of used and available IP addresses is displayed.

For PAT pools, the total number of used and available ports is displayed.

Usage

Percent of resources used.

For Non-PAT pools, the percent of IP addresses used is displayed.

For PAT pools, the percent of ports, including single and twin ports, is displayed.

Peak usage

Percent of resources used during the peak date and time.

Detail Port Utilization for Specified Pool

Address Name

IP addresses in the PAT pool.

Select the IP address for which you want to display detailed usage information.

Factor-Index

Index number.

Port-range

Displays the number of ports allocated at a time.

Used

Displays the number of used ports.

Available

Displays the number of available ports.

Total

Displays the number of used and available ports.

Usage

Displays the percentage of ports used during the peak date and time.

Source NAT Configuration Overview

The main configuration tasks for source NAT are as follows:

  1. Configure an address pool or an interface NAT mapping of private addresses to the public address of an egress interface.

    For an address pool, also do the following:

    1. Specify the name of the pool, the addresses or address ranges, the routing instance, and whether to perform port address translation (PAT).
    2. (Optional) Configure address pool options, such as overflow pool, IP address shifting, address sharing, address pooling, and pool utilization alarms.
    3. Configure NAT proxy ARP entries for IP addresses in the same subnet of the ingress interface.
  2. (Optional) Configure the persistent address.
  3. Configure source NAT rules that align with your network and security requirements.

Example: Configuring Source NAT for Egress Interface Translation

This example describes how to configure a source NAT mapping of private addresses to the public address of an egress interface.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces User Guide for Security Devices.

  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 1, devices with private addresses in the trust zone access a public network through the egress interface ge-0/0/0. For packets that enter the Juniper Networks security device from the trust zone with a destination address in the untrust zone, the source IP address is translated to the IP address of the egress interface.

Note:

No source NAT pool is required for source NAT using an egress interface. Proxy ARP does not need to be configured for the egress interface.

Figure 1: Source NAT Egress Interface TranslationSource NAT Egress Interface Translation

This example describes the following configurations:

  • Source NAT rule set rs1 with a rule r1 to match any packet from the trust zone to the untrust zone. For matching packets, the source address is translated to the IP address of the egress interface.

  • Security policies to permit traffic from the trust zone to the untrust zone.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security nat source rule-set rs1 from zone trust 
set security nat source rule-set rs1 to zone untrust 
set security nat source rule-set rs1 rule r1 match source-address 0.0.0.0/0 
set security nat source rule-set rs1 rule r1 match destination-address 0.0.0.0/0 
set security nat source rule-set rs1 rule r1 then source-nat interface 
set security policies from-zone trust to-zone untrust policy internet-access match source-address any 
set security policies from-zone trust to-zone untrust policy internet-access match destination-address any 
set security policies from-zone trust to-zone untrust policy internet-access match application any 
set security policies from-zone trust to-zone untrust policy internet-access then permit
Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a source NAT translation to an egress interface:

  1. Create a source NAT rule set.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 from zone trust
    user@host# set rule-set rs1 to zone untrust
    
  2. Configure a rule that matches packets and translates the source address to the address of the egress interface.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 rule r1 match source-address 0.0.0.0/0
    user@host# set rule-set rs1 rule r1 match destination-address 0.0.0.0/0
    user@host# set rule-set rs1 rule r1 then source-nat interface
    
  3. Configure a security policy that allows traffic from the trust zone to the untrust zone.

    content_copy zoom_out_map
    [edit security policies from-zone trust to-zone untrust]
    user@host# set policy internet-access match source-address any destination-address any application any
    user@host# set policy internet-access then permit
    
Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security nat
source {
    rule-set rs1 {
        from zone trust;
        to zone untrust;
        rule r1 {
            match {
                source-address 0.0.0.0/0;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
}
user@host# show security policies
from-zone trust to-zone untrust {
    policy internet-access {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Example: Configuring Source NAT for Single Address Translation

This example describes how to configure a source NAT mapping of a single private address to a public address.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces User Guide for Security Devices.

  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 2, a device with the private address 192.168.1.200 in the trust zone accesses a public network. For packets sent by the device to a destination address in the untrust zone, the Juniper Networks security device translates the source IP address to the public IP address 203.0.113.200/32.

Figure 2: Source NAT Single Address TranslationSource NAT Single Address Translation

This example describes the following configurations:

  • Source NAT pool src-nat-pool-1 that contains the IP address 203.0.113.200/32.

  • Source NAT rule set rs1 with rule r1 to match packets from the trust zone to the untrust zone with the source IP address 192.168.1.200/32. For matching packets, the source address is translated to the IP address in src-nat-pool-1 pool.

  • Proxy ARP for the address 203.0.113.200 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for that address.

  • Security policies to permit traffic from the trust zone to the untrust zone.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security nat source pool src-nat-pool-1 address 203.0.113.200/32
set security nat source rule-set rs1 from zone trust 
set security nat source rule-set rs1 to zone untrust 
set security nat source rule-set rs1 rule r1 match source-address 192.168.1.200/32 
set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1 
set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.200/32
set security policies from-zone trust to-zone untrust policy internet-access match source-address any 
set security policies from-zone trust to-zone untrust policy internet-access match destination-address any 
set security policies from-zone trust to-zone untrust policy internet-access match application any 
set security policies from-zone trust to-zone untrust policy internet-access then permit
Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a source NAT translation for a single IP address:

  1. Create a source NAT pool.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set pool src-nat-pool-1 address 203.0.113.200/32
    
  2. Create a source NAT rule set.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 from zone trust
    user@host# set rule-set rs1 to zone untrust
    
  3. Configure a rule that matches packets and translates the source address to the address in the pool.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 rule r1 match source-address 192.168.1.200/32
    user@host# set rule-set rs1 rule r1 then source-nat pool src-nat-pool-1
    
  4. Configure proxy ARP.

    content_copy zoom_out_map
    [edit security nat]
    user@host# set proxy-arp interface ge-0/0/0.0 address 203.0.113.200
    
  5. Configure a security policy that allows traffic from the trust zone to the untrust zone.

    content_copy zoom_out_map
    [edit security policies from-zone trust to-zone untrust]
    user@host# set policy internet-access match source-address any destination-address any application any
    user@host# set policy internet-access then permit
    
Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security nat
source {
    pool src-nat-pool-1 {
        address {
            203.0.113.200/32;
        }
    }
    rule-set rs1 {
        from zone trust;
        to zone untrust;
        rule r1 {
            match {
                source-address 192.168.1.200/32;
            }
            then {
                source-nat {
                    pool {
                        src-nat-pool-1;
                    }
                }
            }
        }
    }
}
    proxy-arp {
        interface ge-0/0/0.0 {
            address {
                203.0.113.200/32;
            }
        }
    }
user@host# show security policies
from-zone trust to-zone untrust {
    policy internet-access {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the source NAT pool.

Action

From operational mode, enter the show security nat source pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Example: Configure MAP-E on SRX Series Firewalls

Use this configuration example to configure Mapping of Address and Port with Encapsulation (MAP-E) functionality on SRX Series Firewalls.

Tip:
Table 3: Readability Score and Time Estimates

Reading Time

Less than an hour

Configuration Time

Less than an hour

Example Prerequisites

Table 4: Hardware and Software Requirements

Hardware requirements

Juniper Networks® SRX1500 Firewall or lower-numbered device models or Juniper Networks® vSRX Virtual Firewall (vSRX3.0)

Software requirements

Junos OS Release 19.4R1 or later.

Before You Begin

Table 5: Benefits, Resources, and Additional Information

Benefits

  • IPv4 to IPv6 Migration

    MAP-E supports IPv4 to IPv6 migration by allowing service providers to transport IPv4 packets across an IPv6 network. This is useful during transition periods when only the IPv6 network is available.

  • Enables address sharing:

    MAP-E enables the sharing of public IPv4 addresses among multiple CE devices. This helps in managing limited public IPv4 address pools.

Know more

Understanding Mapping of Address and Port with Encapsulation (MAP-E)

Hands-on experience

vLab Sandbox: NAT - Source & Destination

Learn more

Configuring MAP-E on NFX Series DevicesUnderstanding Mapping of Address and Port with Encapsulation (MAP-E)Mapping of Address and Port with Encapsulation (MAP-E) for Next Gen Services

Functional Overview

MAP-E transports IPv4 packets across an IPv6 network. A MAP-E network contains two types of devices:

  • MAP-E Customer Edge (CE): These dual-stacked CE devices support both IPv4 and IPv6. They can also perform Network Address Port Translation (NAPT).

  • MAP-E Border Relay (BR): The CE device connects a private IPv4 host and a BR device across an IPv6-only network domain.

Table 6 provides a quick summary of the configuration components deployed in this example.

Table 6: MAP-E Functional Overview

Technologies used

  • MAP-E—The dual stack MAP-E CE devices can execute NAPT. These devices make a connection to a MAP-E BR device through an IPv6-only MAP-E network domain. The dual stack MAP-E BR device maintains a connection with a public IPv4 network and an IPv6 MAP-E network.

  • Border Relay (BR)—MAP-E-enabled provider edge (PE) device in a MAP domain. A BR device has at least an IPv6-enabled interface and an IPv4 interface connected to the native IPv4 network.

  • MAP-E Customer Edge (CE)—MAP-E-enabled customer edge device in a MAP deployment.

  • MAP domain—One or more MAP-E CE devices and BR devices connected to the same virtual link.

  • Softwire—Tunnel between two IPv6 end-points to carry IPv4 packets or two IPv4 end-points to carry IPv6 packets.

Primary verification tasks

After completing the MAP-E configuration on an SRX Series Firewall, you can verify the status of the MAP-E configuration.

Topology Overview

This topology presents the configuration process for MAP-E CE functionality on SRX Series Firewall devices. It also depicts the encapsulation and transport of IPv4 packets originating from MAP-E CE devices. The configuration moves these packets through an IPv4-over-IPv6 tunnel to MAP-E PE and BR devices. The packets then undergo detunneling in an IPv6 routing topology for further processing. A dual-stack MX Series device, connected to both a public IPv4 network and an IPv6 MAP-E network, serves as the MAP-E BR device.

Table 7: MAP-E Topology Overview

Hostname

Role

Function

LAN end-point

End-user network devices.

Connects to the IPv4 network.

SRX Series Firewall

Connects the BR router and end user network devices.

Supports connectivity to a large number of IPv4 subscribers over the ISP IPv6 access network.

BR router

Connects the IPv4 network and SRX Series Firewall device.

A BR device has at least an IPv6-enabled interface and an IPv4 interface connected to the native IPv4 network.

Topology Illustration

Figure 3: MAP-E Deployment on SRX Series Firewall MAP-E Deployment on SRX Series Firewall

Step-By-Step Configuration on SRX Series Firewall as a MAP-E CE Device

  1. Configure security policies and zones for applying different security measures on IPv4-facing interfaces and IPv6-facing interfaces. The following configuration adds a LAN interface (ge-1/0/1) and a WAN interface on the service provider end (ge-1/0/2) into relevant security zones and configures a policy to permit all traffic between these zones. The configuration also adds corresponding internal logical tunnel (lt) interface units into security zones.
    content_copy zoom_out_map
    user@srx# set security policies global policy my_ce match source-address any
    user@srx# set security policies global policy my_ce match destination-address any
    user@srx# set security policies global policy my_ce match application any 
    user@srx# set security policies global policy my_ce then permit
    user@srx# set security policies default-policy permit-all
    user@srx# set security zones security-zone v4zone host-inbound-traffic system-services all
    user@srx# set security zones security-zone v4zone host-inbound-traffic protocols all
    user@srx# set security zones security-zone v4zone interfaces ge-1/0/1.0
    user@srx# set security zones security-zone v4zone interfaces lt-1/0/0.1
    user@srx# set security zones security-zone v6zone host-inbound-traffic system-services all
    user@srx# set security zones security-zone v6zone host-inbound-traffic protocols all
    user@srx# set security zones security-zone v6zone interfaces ge-1/0/2.0
    user@srx# set security zones security-zone v6zone interfaces lt-1/0/0.2
  2. Configure interfaces to provide network connectivity and data flow. The following configuration assigns an IPv4 address on the LAN side and an IPv6 address on the WAN side. The MTU on the IPv6 side must support maximum MTU.
    content_copy zoom_out_map
    user@srx# set interfaces ge-1/0/1 unit 0 family inet address 10.10.10.1/24
    user@srx# set interfaces ge-1/0/2 mtu 9192
    user@srx# set interfaces ge-1/0/2 unit 0 family inet6 address 2001:db8:ffff::1/64
  3. Configure the logical tunnel interfaces. The logical tunnel interfaces act as internal endpoints to MAP-E encapsulator or decapsulator block in an SRX Series Firewall device. This separates the network traffic for IPv4 and IPv6. Here, lt-1/0/0 unit 1 terminates IPv4 traffic that is received on ge-1/0/1 and lt-1/0/0 unit 2 initiates IPv6 traffic to be sent out through ge-1/0/2. Then, lt-1/0/0 unit 2 terminates IPv6 traffic that is received on ge-1/0/2 and lt-1/0/0 unit 1 initiates IPv4 traffic to be sent out through ge-1/0/1.
    content_copy zoom_out_map
    user@srx# set interfaces lt-1/0/0 mtu 9192
    user@srx# set interfaces lt-1/0/0 unit 1 encapsulation ethernet
    user@srx# set interfaces lt-1/0/0 unit 1 peer-unit 2
    user@srx# set interfaces lt-1/0/0 unit 1 family inet address 172.16.100.1/24
    user@srx# set interfaces lt-1/0/0 unit 1 family inet6 address 2001:db8:fffe::1/64
    content_copy zoom_out_map
    user@srx# set interfaces lt-1/0/0 unit 2 encapsulation ethernet
    user@srx# set interfaces lt-1/0/0 unit 2 peer-unit 1
    user@srx# set interfaces lt-1/0/0 unit 2 family inet address 172.16.100.2/24
    user@srx# set interfaces lt-1/0/0 unit 2 family inet6 address 2001:db8:fffe::2/64
  4. Configure routing instances for the IPv4 and IPv6 network traffic domains:
    content_copy zoom_out_map
    user@srx# set routing-instances v4_leg routing-options rib v4_leg.inet.0 static route 198.51.100.0/24 next-hop 172.16.100.2
    user@srx# set routing-instances v4_leg routing-options rib v4_leg.inet.0 static route 203.0.113.0/24 next-hop 172.16.100.2
    user@srx# set routing-instances v4_leg routing-options rib v4_leg.inet.0 static route 192.0.2.0/24 next-hop 172.16.100.2
    user@srx# set routing-instances v4_leg instance-type virtual-router
    user@srx# set routing-instances v4_leg interface lt-1/0/0.1
    content_copy zoom_out_map
    user@srx# set routing-instances v4_leg interface ge-1/0/1.0
    user@srx# set routing-instances v6_leg routing-options rib v6_leg.inet.0 static route 10.10.10.0/24 next-hop 172.16.100.1
    user@srx# set routing-instances v6_leg routing-options rib v6_leg.inet6.0 static route 2001:db8::a/128 next-hop 2001:db8:ffff::9
    user@srx# set routing-instances v6_leg routing-options rib v6_leg.inet6.0 static route 2001:db8:0012:3500::/56 next-hop 2001:db8:ffff::2
    user@srx# set routing-instances v6_leg routing-options rib v6_leg.inet6.0 static route 2001:db8:0012:3400::/56 next-hop 2001:db8:fffe::1
    user@srx# set routing-instances v6_leg instance-type virtual-router
    user@srx# set routing-instances v6_leg interface lt-1/0/0.2
    user@srx# set routing-instances v6_leg interface ge-1/0/2.0
  5. Configure the MAP-E BMR and FMR rules to provide mapping between the IPv4 network and IPv6 network:
    content_copy zoom_out_map
    user@srx# set security softwires map-e mapce1 br-address 2001:db8::a/128
    user@srx# set security softwires map-e mapce1 end-user-prefix 2001:db8:0012:3400::/56
    user@srx# set security softwires map-e mapce1 rule bmr rule-type BMR
    user@srx# set security softwires map-e mapce1 rule bmr ipv4-prefix 192.0.2.0/24
    user@srx# set security softwires map-e mapce1 rule bmr ipv6-prefix 2001:db8::/40
    user@srx# set security softwires map-e mapce1 rule bmr ea-bits-length 16
    user@srx# set security softwires map-e mapce1 rule bmr psid-offset 6
    user@srx# set security softwires map-e mapce1 role CE
    user@srx# set security softwires map-e mapce1 version 3
  6. Configure source NAT rule and NAT pool:
    content_copy zoom_out_map
    user@srx# set security nat source pool my_mape allocation-domain mapce1
    user@srx# set security nat source pool my_mape allocation-domain allocation-rule bmr
    user@srx# set security nat source rule-set mape from zone v4zone
    user@srx# set security nat source rule-set mape to interface lt-1/0/0.1
    user@srx# set security nat source rule-set mape to interface ge-1/0/1.0
    user@srx# set security nat source rule-set mape rule r1 match source-address 10.10.10.0/24
    user@srx# set security nat source rule-set mape rule r1 match destination-address 10.10.10.0/24
    user@srx# set security nat source rule-set mape rule r1 match destination-address 198.51.100.0/24
    user@srx# set security nat source rule-set mape rule r1 match destination-address 203.0.113.0/24
    user@srx# set security nat source rule-set mape rule r1 match destination-address 192.0.2.0/24
    user@srx# set security nat source rule-set mape rule r1 then source-nat pool my_mape
    user@srx# set security nat source rule-set mape rule r1 then source-nat pool persistent-nat permit any-remote-host
  7. Commit the configuration:
    content_copy zoom_out_map
    user@srx# commit

Step-By-Step Configuration on MX Series Device as a BR Device

To configure an MX Series device as a BR device:

  1. Configure the service set for MAP-E on the MX Series device:
    content_copy zoom_out_map
    user@host# set services service-set ss1 softwire-rules sw-rule1
    user@host# set services service-set ss1 next-hop-service inside-service-interface si-1/0/0.1
    user@host# set services service-set ss1 next-hop-service outside-service-interface si-1/0/0.2
  2. Configure the MAP-E softwire concentrator and associated parameters. This creates a tunnel between two IPv6 endpoints to carry IPv4 packets; or two IPv4 endpoints to carry IPv6 packets.
    content_copy zoom_out_map
    user@host# set services softwire softwire-concentrator map-e mape-domain-1 softwire-address 2001:db8::a
    user@host# set services softwire softwire-concentrator map-e mape-domain-1 ipv4-prefix 192.0.2.0/24
    user@host# set services softwire softwire-concentrator map-e mape-domain-1 mape-prefix 2001:db8::/40
    user@host# set services softwire softwire-concentrator map-e mape-domain-1 ea-bits-len 16
    user@host# set services softwire softwire-concentrator map-e mape-domain-1 psid-offset 6
    user@host# set services softwire softwire-concentrator map-e mape-domain-1 psid-length 8
    user@host# set services softwire softwire-concentrator map-e mape-domain-1 mtu-v6 9192
    user@host# set services softwire softwire-concentrator map-e mape-domain-1 version-03
    user@host# set services softwire softwire-concentrator map-e mape-domain-1 v4-reassembly
    user@host# set services softwire softwire-concentrator map-e mape-domain-1 v6-reassembly
    user@host# set services softwire softwire-concentrator map-e mape-domain-1 disable-auto-route
  3. Configure a softwire rule to specify the direction of traffic to be tunneled and the MAP-E softwire concentrator to be used:
    content_copy zoom_out_map
    user@host# set services softwire rule sw-rule1 match-direction input
    user@host# set services softwire rule sw-rule1 term t1 then map-e mape-domain-1
  4. Configure a service interface inside the dual-stack domain:
    content_copy zoom_out_map
    user@host# set interfaces si-1/0/0 unit 1 family inet6
    user@host# set interfaces si-1/0/0 unit 1 service-domain inside
  5. Configure a service interface outside the dual-stack domain:
    content_copy zoom_out_map
    user@host# set interfaces si-1/0/0 unit 2 family inet
    user@host# set interfaces si-1/0/0 unit 2 service-domain outside
  6. Configure the MTU on the BR interface:
    content_copy zoom_out_map
    user@host# set interfaces ge-1/1/2 mtu 9192
  7. Configure the logical interfaces and assign the IPv4 and IPv6 addresses:
    content_copy zoom_out_map
    user@host# set interfaces ge-1/1/2 unit 0 family inet6 address 2001:db8:ffff::9/64
    user@host# set interfaces ge-1/1/3 unit 0 family inet address 203.0.113.1/24
  8. Configure the routing instances:
    content_copy zoom_out_map
    user@host# set routing-options rib inet6.0 static route 2001:db8::/40 next-hop si-1/0/0.1
    user@host# set routing-options rib inet6.0 static route 2001:db8:0012:3400::/56 next-hop 2001:db8:ffff::1
    user@host# set routing-options rib inet6.0 static route 2001:db8:0012:3500::/56 next-hop 2001:db8:ffff::2
    user@host# set routing-options static route 192.0.2.0/24 next-hop si-1/0/0.2
    user@host# set routing-options static route 198.51.100.0/24 next-hop si-1/0/0.2
    user@host# set routing-options static route 203.0.113.0/24 next-hop si-1/0/0.2
  9. Commit the configuration:
    content_copy zoom_out_map
    user@host# commit

Verification

This section provides a list of show commands that you can use to verify the feature in this example.

You must establish an SSH session on end devices to generate CLI output.

Table 8: Verification Tasks

Command

Verification Task

show security flow session

Verify the Flow Session

show security softwires map-e domain mapce1 Verify the MAP-E Domain
show security nat source rule all

Verify the NAT Source Rule

show security nat source pool all

Verify the NAT Source Pool

show security nat source summary

Verify the NAT Source Summary

show security nat source persistent-nat-table all

Verify the Persistent NAT Table

show services inline softwire statistics mape

Verify the Softwire Statistics on the MX Series Device

Verify the Flow Session

Purpose

Verify the packet flow session.

Action

From operational mode, enter the show security flow session command to view the packet flow.

content_copy zoom_out_map
user@srx> show security flow session
Session ID: 134218806, Policy name: my_ce/4, Timeout: 1800, Valid
  In: 10.10.10.2/57630 --> 203.0.113.2/22;tcp, Conn Tag: 0x0, If: ge-1/0/1.0, Pkts: 50, Bytes: 5797,
  Out: 203.0.113.2/22 --> 192.0.2.18/20691;tcp, Conn Tag: 0x0, If: lt-1/0/0.1, Pkts: 33, Bytes: 5697,

Session ID: 134218807, Policy name: my_ce/4, Timeout: 1800, Valid
  In: 2001:db8:12:3400:c0:2:1200:3400/1 --> 2001:db8::a/1;ipip, Conn Tag: 0x0, If: lt-1/0/0.2, Pkts: 50, Bytes: 7797,
  Out: 2001:db8::a/1 --> 2001:db8:12:3400:c0:2:1200:3400/1;ipip, Conn Tag: 0x0, If: ge-1/0/2.0, Pkts: 33, Bytes: 7017,
Total sessions: 2
Meaning

The sample output confirms the packet flow session are up.

Verify the MAP-E Domain

Purpose

Verify whether the IPv4 and IPv6 addresses are configured correctly.

Action

From operational mode, enter the show security softwires map-e domain mapce1 command to view the IPv4 and IPv6 addresses.

content_copy zoom_out_map
user@srx> show security softwires map-e domain mapce1
Role                  : CE
Version               : 3
Domain Name           : mapce1
BR Address            : 2001:db8::a/128
End User Ipv6 prefix  : 2001:db8:12:3400::/56
BMR Mapping Rule :
    Rule Name            : bmr
    Rule Ipv4 Prefix     : 192.0.2.0/24
    Rule Ipv6 Prefix     : 2001:db8::/40
    PSID offset          : 6
    PSID length          : 8
    EA bit length        : 16
    Port SetID           : 0x34
    MAP-E Ipv4 address   : 192.0.2.18/32
    MAP-E Ipv6 address   : 2001:db8:12:3400:c0:2:1200:3400

Meaning

The sample output displays the configured IPv4 and IPv6 addresses.

Verify the NAT Source Rule

Purpose

View details of the NAT source rule.

Action

From operational mode, enter the show security nat source rule all command to view the NAT source rules.

content_copy zoom_out_map
user@srx> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 5/0
source NAT rule: r1                     
  Rule-set                   : mape
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : v4zone
  To interface               : lt-1/0/0.1
                             : ge-1/0/1.0
  Match
    Source addresses         : 10.10.10.0      - 10.10.10.255
    Destination addresses    : 10.10.10.0      - 10.10.10.255
                               198.51.100.0    - 198.51.100.255
                               203.0.113.0     - 203.0.113.255
                               192.0.2.0       - 192.0.2.255
  Action                        : my_mape
    Persistent NAT type         : any-remote-host
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 300
    Max session number          : 30
  Translation hits           : 1
    Successful sessions      : 1
    Failed sessions          : 0
  Number of sessions         : 1
Meaning

The sample output displays the configured NAT source rules.

Verify the NAT Source Pool

Purpose

View details of the NAT source pool.

Action

From operational mode, enter the show security nat source pool all command to view the NAT source pool.

content_copy zoom_out_map
user@srx> show security nat source pool all
Total pools: 1
Pool name          : my_mape
Pool id            : 4
Routing instance   : default
Host address base  : 0.0.0.0
Map-e domain name  : mapce1
Map-e rule name    : bmr
PSID offset        : 6
PSID length        : 8
PSID               : 0x34
Port overloading   : 1
Address assignment : no-paired
Total addresses    : 1
Translation hits   : 1
Address range                        Single Ports   Twin Ports
         192.0.2.18 - 192.0.2.18         1              0
Total used ports   :                     1              0
Meaning

The sample output displays the configured NAT source pool.

Verify the NAT Source Summary

Purpose

View the NAT source summary.

Action

From operational mode, enter the show security nat source summary command to view the NAT source details.

content_copy zoom_out_map
user@srx> show security nat source summary
show security nat source summary
Total port number usage for port translation pool: 252
Maximum port number for port translation pool: 134217728
Total pools: 1
Pool                 Address                  Routing              PAT  Total
Name                 Range                    Instance                  Address
my_mape              192.0.2.18-192.0.2.18    default              yes  1
 
Total rules: 1
Rule name : r1
    Rule set  : mape
    Action    : my_mape
    From      : v4zone                To : lt-0/0/0.1
Rule name : r1
                                      To : ge-0/0/7.0
Meaning

The sample output displays the configured NAT source details.

Verify the Persistent NAT Table

Purpose

View the persistent NAT table.

Action

From operational mode, enter the show security nat source persistent-nat-table all command to view the persistent NAT table.

content_copy zoom_out_map
user@srx> show security nat source persistent-nat-table all
Internal                        Reflective                  Source     Type             Left_time/  Curr_Sess_Num/  Source
In_IP          In_Port I_Proto Ref_IP          Ref_Port R_Proto NAT Pool                    Conf_time   Max_Sess_Num    NAT Rule
10.10.10.2      57630   tcp    192.0.2.18      20691     tcp      my_mape    any-remote-host     -/300      1/30          r1
Meaning

The sample output displays the persistent NAT table.

Verify the Softwire Statistics on the MX Series Device

Purpose

View the softwire statistics on the MX Series device.

Action

From operational mode, enter the show services inline softwire statistics mape command to view the softwire statistics on the MX Series device.

content_copy zoom_out_map
user@host> show services inline softwire statistics mape
Service PIC Name                                      si-1/0/0

Control Plane Statistics
     MAPE ICMPv6 echo requests to softwire concentrator          0
     MAPE ICMPv6 echo responses from softwire concentrator       0
     MAPE Dropped ICMPv6 packets to softwire concentrator        0

Data Plane Statistics (v6-to-v4)      Packets                  Bytes
     MAPE decaps                        15034                   1388760
     MAPE ICMP decap errors             0                       0
     MAPE decap spoof errors            0                       0
     MAPE v6 reassembled                0                       0
     MAPE dropped v6 fragments          0                       0
     MAPE v6 unsupp protocol drops      0                       0

Data Plane Statistics (v4-to-v6)      Packets                  Bytes
     MAPE encaps                        149544                  223527457
     MAPE ICMP encap errors             0                       0
     MAPE v6 mtu errors                 0                       0
     MAPE v4 reassembled                0                       0
     MAPE dropped v4 fragments          0                       0
Meaning

The sample output displays the softwire statistics on the MX Series device.

Appendix 1: Set Commands on All Devices

Set command output on all devices.

Set Commands on MAP-E CE Device

content_copy zoom_out_map
set security policies global policy my_ce match source-address any
set security policies global policy my_ce match destination-address any
set security policies global policy my_ce match application any 
set security policies global policy my_ce then permit
set security policies default-policy permit-all
set security zones security-zone v4zone host-inbound-traffic system-services all
set security zones security-zone v4zone host-inbound-traffic protocols all
set security zones security-zone v4zone interfaces ge-1/0/1.0
set security zones security-zone v4zone interfaces lt-1/0/0.1
set security zones security-zone v6zone host-inbound-traffic system-services all
set security zones security-zone v6zone host-inbound-traffic protocols all
set security zones security-zone v6zone interfaces ge-1/0/2.0
set security zones security-zone v6zone interfaces lt-1/0/0.2
set interfaces ge-1/0/1 unit 0 family inet address 10.10.10.1/24
set interfaces ge-1/0/2 mtu 9192
set interfaces ge-1/0/2 unit 0 family inet6 address 2001:db8:ffff::1/64
set interfaces lt-1/0/0 mtu 9192
set interfaces lt-1/0/0 unit 1 encapsulation ethernet
set interfaces lt-1/0/0 unit 1 peer-unit 2
set interfaces lt-1/0/0 unit 1 family inet address 172.16.100.1/24
set interfaces lt-1/0/0 unit 1 family inet6 address 2001:db8:fffe::1/64
set interfaces lt-1/0/0 unit 2 encapsulation ethernet
set interfaces lt-1/0/0 unit 2 peer-unit 1
set interfaces lt-1/0/0 unit 2 family inet address 172.16.100.2/24
set interfaces lt-1/0/0 unit 2 family inet6 address 2001:db8:fffe::2/64
set routing-instances v4_leg routing-options rib v4_leg.inet.0 static route 198.51.100.0/24 next-hop 172.16.100.2
set routing-instances v4_leg routing-options rib v4_leg.inet.0 static route 203.0.113.0/24 next-hop 172.16.100.2
set routing-instances v4_leg routing-options rib v4_leg.inet.0 static route 192.0.2.0/24 next-hop 172.16.100.2
set routing-instances v4_leg instance-type virtual-router
set routing-instances v4_leg interface lt-1/0/0.1
set routing-instances v4_leg interface ge-1/0/1.0
set routing-instances v6_leg routing-options rib v6_leg.inet.0 static route 10.10.10.0/24 next-hop 172.16.100.1
set routing-instances v6_leg routing-options rib v6_leg.inet6.0 static route 2001:db8::a/128 next-hop 2001:db8:ffff::9
set routing-instances v6_leg routing-options rib v6_leg.inet6.0 static route 2001:db8:0012:3500::/56 next-hop 2001:db8:ffff::2
set routing-instances v6_leg routing-options rib v6_leg.inet6.0 static route 2001:db8:0012:3400::/56 next-hop 2001:db8:fffe::1
set routing-instances v6_leg instance-type virtual-router
set routing-instances v6_leg interface lt-1/0/0.2
set routing-instances v6_leg interface ge-1/0/2.0
set security softwires map-e mapce1 br-address 2001:db8::a/128
set security softwires map-e mapce1 end-user-prefix 2001:db8:0012:3400::/56
set security softwires map-e mapce1 rule bmr rule-type BMR
set security softwires map-e mapce1 rule bmr ipv4-prefix 192.0.2.0/24
set security softwires map-e mapce1 rule bmr ipv6-prefix 2001:db8::/40
set security softwires map-e mapce1 rule bmr ea-bits-length 16
set security softwires map-e mapce1 rule bmr psid-offset 6
set security softwires map-e mapce1 role CE
set security softwires map-e mapce1 version 3
set security nat source pool my_mape allocation-domain mapce1
set security nat source pool my_mape allocation-domain allocation-rule bmr
set security nat source rule-set mape from zone v4zone
set security nat source rule-set mape to interface lt-1/0/0.1
set security nat source rule-set mape to interface ge-1/0/1.0
set security nat source rule-set mape rule r1 match source-address 10.10.10.0/24
set security nat source rule-set mape rule r1 match destination-address 10.10.10.0/24
set security nat source rule-set mape rule r1 match destination-address 198.51.100.0/24
set security nat source rule-set mape rule r1 match destination-address 203.0.113.0/24
set security nat source rule-set mape rule r1 match destination-address 192.0.2.0/24
set security nat source rule-set mape rule r1 then source-nat pool my_mape
set security nat source rule-set mape rule r1 then source-nat pool persistent-nat permit any-remote-host

Set Commands on BR Device

content_copy zoom_out_map
set services service-set ss1 softwire-rules sw-rule1
set services service-set ss1 next-hop-service inside-service-interface si-1/0/0.1
set services service-set ss1 next-hop-service outside-service-interface si-1/0/0.2
set services softwire softwire-concentrator map-e mape-domain-1 softwire-address 2001:db8::a
set services softwire softwire-concentrator map-e mape-domain-1 ipv4-prefix 192.0.2.0/24
set services softwire softwire-concentrator map-e mape-domain-1 mape-prefix 2001:db8::/40
set services softwire softwire-concentrator map-e mape-domain-1 ea-bits-len 16
set services softwire softwire-concentrator map-e mape-domain-1 psid-offset 6
set services softwire softwire-concentrator map-e mape-domain-1 psid-length 8
set services softwire softwire-concentrator map-e mape-domain-1 mtu-v6 9192
set services softwire softwire-concentrator map-e mape-domain-1 version-03
set services softwire softwire-concentrator map-e mape-domain-1 v4-reassembly
set services softwire softwire-concentrator map-e mape-domain-1 v6-reassembly
set services softwire softwire-concentrator map-e mape-domain-1 disable-auto-route
set services softwire rule sw-rule1 match-direction input
set services softwire rule sw-rule1 term t1 then map-e mape-domain-1
set interfaces si-1/0/0 unit 1 family inet6
set interfaces si-1/0/0 unit 1 service-domain inside
set interfaces si-1/0/0 unit 2 family inet
set interfaces si-1/0/0 unit 2 service-domain outside
set interfaces ge-1/1/2 mtu 9192
set interfaces ge-1/1/2 unit 0 family inet6 address 2001:db8:ffff::9/64
set interfaces ge-1/1/3 unit 0 family inet address 203.0.113.1/24
set routing-options rib inet6.0 static route 2001:db8::/40 next-hop si-1/0/0.1
set routing-options rib inet6.0 static route 2001:db8:0012:3400::/56 next-hop 2001:db8:ffff::1
set routing-options rib inet6.0 static route 2001:db8:0012:3500::/56 next-hop 2001:db8:ffff::2
set routing-options static route 192.0.2.0/24 next-hop si-1/0/0.2
set routing-options static route 198.51.100.0/24 next-hop si-1/0/0.2
set routing-options static route 203.0.113.0/24 next-hop si-1/0/0.2

Appendix 2: Show Configuration Output on All Devices

Show command output on all devices.

Show Commands on MAP-E CE Device

From configuration mode, confirm your configuration by entering the show security policies, show security zones, show interfaces, show routing-instances, show security softwires, and show security nat source commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
user@srx# show security policies
global {
    policy my_ce {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
default-policy {
    permit-all;
}
content_copy zoom_out_map
user@srx# show security zones
security-zone v4zone {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        ge-1/0/1.0;
        lt-1/0/0.1;
    }
}
security-zone v6zone {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        ge-1/0/2.0;
        lt-1/0/0.2;
    }
}
content_copy zoom_out_map
user@srx# show interfaces
lt-1/0/0 {
    mtu 9192;
    unit 1 {
        encapsulation ethernet;
        peer-unit 2;
        family inet {
            address 172.16.100.1/24;
        }
        family inet6 {
            address 2001:db8:fffe::1/64;
        }
    }
    unit 2 {
        encapsulation ethernet;
        peer-unit 1;
        family inet {
            address 172.16.100.2/24;
        }
        family inet6 {
            address 2001:db8:fffe::2/64;
        }
    }
}
ge-1/0/1 {
    unit 0 {
        family inet {
            address 10.10.10.1/24;
        }
    }
}
ge-1/0/2 {
    mtu 9192;
    unit 0 {
        family inet6 {
            address 2001:db8:ffff::1/64;
        }
    }
}
content_copy zoom_out_map
user@srx# show routing-instances
v4_leg {
    instance-type virtual-router;
    routing-options {
        rib v4_leg.inet.0 {
            static {
                route 192.0.2.0/24 next-hop 172.16.100.2;
                route 198.51.100.0/24 next-hop 172.16.100.2;
                route 203.0.113.0/24 next-hop 172.16.100.2;
            }
        }
    }
    interface lt-1/0/0.1;
    interface ge-1/0/1.0;
}
v6_leg {
    instance-type virtual-router;
    routing-options {
        rib v6_leg.inet.0 {
            static {
                route 10.10.10.0/24 next-hop 172.16.100.1;
            }
        }
        rib v6_leg.inet6.0 {
            static {
                route 2001:db8::a/128 next-hop 2001:db8:ffff::9;
                route 2001:db8:0012:3400::/56 next-hop 2001:db8:fffe::1;
                route 2001:db8:0012:3500::/56 next-hop 2001:db8:ffff::2;
            }
        }
    }
    interface lt-1/0/0.2;
    interface ge-1/0/2.0;
}
content_copy zoom_out_map
user@srx# show security softwires
map-e mapce1 {
    br-address "$9$AodDuIEhSrlvWB1Yg4aiH.P5T/CEcyeWLz3EcyrvMaZGU.P"; ## SECRET-DATA
    end-user-prefix {
        2001:db8:0012:3400::/56;
    }
    rule bmr {
        rule-type BMR;
        ipv4-prefix "$9$WVnL-VJGDH.PY2P5z6CAvW8xdbwYgDikY2QF"; ## SECRET-DATA
        ipv6-prefix "$9$O4LbISrlKMWX7hcaZGDmPTz3np0rev87-hcs2g4ZG"; ## SECRET-DATA
        ea-bits-length 16; ## SECRET-DATA
        psid-offset "$9$y8NeLx"; ## SECRET-DATA
    }
    role CE;
    version 3;
}
content_copy zoom_out_map
user@srx# show security nat source
pool my_mape {
    allocation-domain mapce1 allocation-rule bmr;
}
rule-set mape {
    from zone v4zone;
    to interface [ lt-1/0/0.1 ge-1/0/1.0 ];
    rule r1 {
        match {
            source-address 10.10.10.0/24;
            destination-address [ 10.10.10.0/24 198.51.100.0/24 203.0.113.0/24 192.0.2.0/24 ];
        }
        then {
            source-nat {
                pool {
                    my_mape;
                    persistent-nat {
                        permit any-remote-host;
                    }
                }
            }
        }
    }
}

Show Commands on BR Device

From configuration mode, confirm your configuration by entering the show services, show interfaces, and show routing-options commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
user@router# show services
service-set ss1 {
    softwire-rules sw-rule1;
    next-hop-service {
        inside-service-interface si-1/0/0.1;
        outside-service-interface si-1/0/0.2;
    }
}
softwire {
    softwire-concentrator {
        map-e mape-domain-1 {
            softwire-address 2001:db8::a;
            ipv4-prefix 192.0.2.0/24;
            mape-prefix 2001:db8::/40;
            ea-bits-len 16;
            psid-offset 6;
            psid-length 8;
            mtu-v6 9192;
            version-03;
            v4-reassembly;
            v6-reassembly;
            disable-auto-route;
        }
    }
    rule sw-rule1 {
        match-direction input;
        term t1 {
            then {
                map-e mape-domain-1;
            }
        }
    }
}
content_copy zoom_out_map
user@router# show interfaces
lt-0/0/10 {
    unit 0 {
        encapsulation vlan-bridge;
        vlan-id 10;
        peer-unit 1;
    }
}
si-1/0/0 {
    unit 1 {
        family inet6;
        service-domain inside;
    }
    unit 2 {
        family inet;
        service-domain outside;
    }
}
ge-1/1/2 {
    mtu 9192;
    unit 0 {
        family inet6 {
            address 2001:db8:ffff::9/64;
        }
    }
}
ge-1/1/3 {
    unit 0 {
        family inet {
            address 203.0.113.1/24;
        }
    }
}
ge-1/3/11 {
    unit 0 {
        family inet {
            address 10.0.1.2/30;
        }
        family mpls;
    }
}
irb {
    unit 0 {
        family inet {
            address 192.0.2.1/24;
        }
    }
}
lo0 {
    apply-groups-except global;
    unit 0 {
        family inet {
            address 10.255.0.2/32;
        }
    }
}
content_copy zoom_out_map
user@router# show routing-options
rib inet6.0 {
    static {
        route 2001:db8::/40 next-hop si-1/0/0.1;
        route 2001:db8:0012:3400::/56 next-hop 2001:db8:ffff::1;
        route 2001:db8:0012:3500::/56 next-hop 2001:db8:ffff::2;
    }
}
router-id 10.255.0.2;
autonomous-system 100;
static {
    route 0.0.0.0/0 next-hop [ 10.102.70.254 10.10.0.0 ];
    route 192.0.2.0/24 next-hop si-1/0/0.2;
    route 198.51.100.0/24 next-hop si-1/0/0.2;
    route 203.0.113.0/24 next-hop si-1/0/0.2;
}
forwarding-table {
    chained-composite-next-hop {
        ingress {
            evpn;
        }
    }
}

Example: Configuring Source and Destination NAT Translations

This example describes how to configure both source and destination NAT mappings.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces User Guide for Security Devices.

  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 4, the following translations are performed on the Juniper Networks security device:

  • The source IP address in packets sent by the device with the private address 192.168.1.200 in the trust zone to any address in the untrust zone is translated to a public address in the range from 203.0.113.10 through 203.0.113.14.

  • The destination IP address 203.0.113.100/32 in packets sent from the trust zone to the untrust zone is translated to the address 10.1.1.200/32.

Figure 4: Source and Destination NAT TranslationsSource and Destination NAT Translations

This example describes the following configurations:

  • Source NAT pool src-nat-pool-1 that contains the IP address range 203.0.113.10 through 203.0.113.14.

  • Source NAT rule set rs1 with rule r1 to match any packets from the trust zone to the untrust zone. For matching packets, the source address is translated to an IP address in the src-nat-pool-1 pool.

  • Destination NAT pool dst-nat-pool-1 that contains the IP address 10.1.1.200/32.

  • Destination NAT rule set rs1 with rule r1 to match packets from the trust zone with the destination IP address 203.0.113.100. For matching packets, the destination address is translated to the IP address in the dst-nat-pool-1 pool.

  • Proxy ARP for the addresses 203.0.113.10 through 203.0.113.14 and 203.0.113.100/32 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for those addresses.

  • Security policy to permit traffic from the trust zone to the untrust zone.

  • Security policy to permit traffic from the untrust zone to the translated destination IP addresses in the trust zone.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security nat source pool src-nat-pool-1 address 203.0.113.10/32 to 203.0.113.14/32
set security nat source rule-set rs1 from zone trust 
set security nat source rule-set rs1 to zone untrust 
set security nat source rule-set rs1 rule r1 match source-address 0.0.0.0/0 
set security nat source rule-set rs1 rule r1 match destination-address 0.0.0.0/0 
set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1 
set security nat destination pool dst-nat-pool-1 address 10.1.1.200/32 
set security nat destination rule-set rs1 from zone untrust 
set security nat destination rule-set rs1 rule r1 match destination-address 203.0.113.100/32
set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1 
set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.10/32 to 203.0.113.24/32 
set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.100/32 
set security policies from-zone trust to-zone untrust policy internet-access match source-address any 
set security policies from-zone trust to-zone untrust policy internet-access match destination-address any 
set security policies from-zone trust to-zone untrust policy internet-access match application any 
set security policies from-zone trust to-zone untrust policy internet-access then permit
set security address-book global address dst-nat-pool-1 10.1.1.200/32 
set security policies from-zone untrust to-zone trust policy dst-nat-pool-1-access match source-address any 
set security policies from-zone untrust to-zone trust policy dst-nat-pool-1-access match destination-address dst-nat-pool-1 
set security policies from-zone untrust to-zone trust policy dst-nat-pool-1-access match application any 
set security policies from-zone untrust to-zone trust policy dst-nat-pool-1-access then permit
Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure the source and destination NAT translations:

  1. Create a source NAT pool.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set pool src-nat-pool-1 address 203.0.113.10 to 203.0.113.14
    
  2. Create a source NAT rule set.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 from zone trust
    user@host# set rule-set rs1 to zone untrust
    
  3. Configure a rule that matches packets and translates the source address to an address in the source NAT pool.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 rule r1 match source-address 0.0.0.0/0
    user@host# set rule-set rs1 rule r1 match destination-address 0.0.0.0/0
    user@host# set rule-set rs1 rule r1 then source-nat pool src-nat-pool-1
    
  4. Create a destination NAT pool.

    content_copy zoom_out_map
    [edit security nat destination]
    user@host# set pool dst-nat-pool-1 address 10.1.1.200/32
    
  5. Create a destination NAT rule set.

    content_copy zoom_out_map
    [edit security nat destination]
    user@host# set rule-set rs1 from zone untrust
    
  6. Configure a rule that matches packets and translates the destination address to the address in the destination NAT pool.

    content_copy zoom_out_map
    [edit security nat destination]
    user@host# set rule-set rs1 rule r1 match destination-address 203.0.113.100/32
    user@host# set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
    
  7. Configure proxy ARP.

    content_copy zoom_out_map
    [edit security nat]
    user@host# set proxy-arp interface ge-0/0/0.0 address 203.0.113.10 to 203.0.113.14
    user@host# set proxy-arp interface ge-0/0/0.0 address 203.0.113.100
    
  8. Configure a security policy that allows traffic from the trust zone to the untrust zone.

    content_copy zoom_out_map
    [edit security policies from-zone trust to-zone untrust]
    user@host# set policy internet-access match source-address any destination-address any application any
    user@host# set policy internet-access then permit
    
  9. Configure an address in the global address book.

    content_copy zoom_out_map
    [edit security address-book global]
    user@host# set address dst-nat-pool-1 10.1.1.200/32 
    
  10. Configure a security policy that allows traffic from the untrust zone to the trust zone.

    content_copy zoom_out_map
    [edit security policies from-zone untrust to-zone trust]
    user@host# set policy dst-nat-pool-1-access match source-address any destination-address dst-nat-pool-1 application any
    user@host# set policy dst-nat-pool-1-access then permit
    
Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security nat
source {
    pool src-nat-pool-1 {
        address {
            203.0.113.10/32 to 203.0.113.14/32;
        }
    }
    rule-set rs1 {
        to zone untrust;
        rule r1 {
            match {
                source-address 0.0.0.0/0;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    pool {
                        src-nat-pool-1;
                    }
                }
            }
        }
    }
}
    destination {
        pool dst-nat-pool-1 {
            address 10.1.1.200/32;
        }
        rule-set rs1 {
            from zone untrust;
            rule r1 {
                match {
                    destination-address 203.0.113.100/32;
                }
                then {
                    destination-nat pool dst-nat-pool-1;
                }
            }
        }
    }
    proxy-arp {
        interface ge-0/0/0.0 {
            address {
                203.0.113.10/32 to 203.0.113.14/32;
                203.0.113.100/32;
            }
        }
    }
user@host# show security policies
from-zone trust to-zone untrust {
    policy internet-access {
        match {
            source-address any;
            destination-address any;
            application any;
        }
    }
    policy internet-access {
        then {
            permit;
        }
        
    }
}
    from-zone untrust to-zone trust {
        policy dst-nat-pool-1-access {
            match {
                source-address any;
                destination-address dst-nat-pool-1;
                application any;
            }
            then {
                permit;
            }
        }
    }

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the source NAT pool.

Action

From operational mode, enter the show security nat source pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying Destination NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the destination NAT pool.

Action

From operational mode, enter the show security nat destination pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Destination NAT Rule Usage

Purpose

Verify that there is traffic matching the destination NAT rule.

Action

From operational mode, enter the show security nat destination rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Understanding Source NAT Rules

Source NAT rules specify two layers of match conditions:

  • Traffic direction—Allows you to specify combinations of from interface, from zone, or from routing-instance and to interface, to zone, or to routing-instance. You cannot configure the same from and to contexts for different rule sets.

  • Packet information—Can be source and destination IP addresses or subnets, source port numbers or port ranges, destination port numbers or port ranges, protocols, or applications.

For all ALG traffic, except FTP, we recommend that you not use the source-port rule option. Data session creation can fail if this option is used because the IP address and the source port value, which is a random value, might not match the rule.

In addition, we recommend that you not use the destination-port option or the application option as matching conditions for ALG traffic. If these options are used, translation may fail because the port value in the application payload might not match the port value in the IP address.

If multiple source NAT rules overlap in the match conditions, the most specific rule is chosen. For example, if rules A and B specify the same source and destination IP addresses, but rule A specifies traffic from zone 1 to zone 2 and rule B specifies traffic from zone 1 to interface ge-0/0/0, rule B is used to perform source NAT. An interface match is considered to be more specific than a zone match, which is more specific than a routing instance match.

The actions you can specify for a source NAT rule are:

  • off—Do not perform source NAT.

  • pool—Use the specified user-defined address pool to perform source NAT.

  • interface—Use the egress interface’s IP address to perform source NAT.

Source NAT rules are applied to traffic in the first packet that is processed for the flow or in the fast path for the ALG. Source NAT rules are processed after static NAT rules, destination NAT rules, and reverse mapping of static NAT rules and after route and security policy lookup.

When zones are not configured under rule-set and when active source NAT is configured with missing mandatory statement “from” then, the following message is displayed when performing commit “Missing mandatory statement: 'from' error: configuration check-out failed” and the configuration check-out fails.

Example: Configuring Source NAT with Multiple Rules

This example describes how to configure source NAT mappings with multiple rules.

Requirements

Before you begin:

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 5, the following translations are performed on the Juniper Networks security device for the source NAT mapping for traffic from the trust zone to the untrust zones:

  • The source IP address in packets sent by the 10.1.1.0/24 and 10.1.2.0/24 subnets to any address in the untrust zone is translated to a public address in the range from 192.0.2.1 to 192.0.2.24 with port translation.

  • The source IP address in packets sent by the 192.168.1.0/24 subnet to any address in the untrust zone is translated to a public address in the range from 192.0.2.100 to 192.0.2.249 with no port translation.

  • The source IP address in packets sent by the 192.168.1.250/32 host device is not translated.

Figure 5: Source NAT with Multiple Translation RulesSource NAT with Multiple Translation Rules

This example describes the following configurations:

  • Source NAT pool src-nat-pool-1 that contains the IP address range 192.0.2.1 through 192.0.2.24.

  • Source NAT pool src-nat-pool-2 that contains the IP address range 192.0.2.100 through 192.0.2.249, with port address translation disabled.

    Note:

    When port address translation is disabled, the number of translations that the source NAT pool can support concurrently is limited to the number of addresses in the pool, unless the address-shared option is enabled. Packets are dropped if there are no addresses available in the source NAT pool. You can optionally specify an overflow pool from which IP addresses and port numbers are allocated when there are no addresses available in the original source NAT pool.

  • Source NAT rule set rs1 to match packets from the trust zone to the untrust zone. Rule set rs1 contains multiple rules:

    • Rule r1 to match packets with a source IP address in either the 10.1.1.0/24 or 10.1.2.0/24 subnets. For matching packets, the source address is translated to an IP address in the src-nat-pool-1 pool.

    • Rule r2 to match packets with a source IP address of 192.168.1.250/32. For matching packets, there is no NAT translation performed.

    • Rule r3 to match packets with a source IP address in the 192.168.1.0/24 subnet. For matching packets, the source address is translated to an IP address in the src-nat-pool-2 pool.

      Note:

      The order of rules in a rule set is important, as the first rule in the rule set that matches the traffic is used. Therefore, rule r2 to match a specific IP address must be placed before rule r3 that matches the subnet on which the device is located.

  • Proxy ARP for the addresses 192.0.2.1 through 192.0.2.24 and 192.0.2.100 through 192.0.2.249 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for those addresses.

  • Security policies to permit traffic from the trust zone to the untrust zone.

On SRX4600 devices, when you configure source NAT rule or pool with rule name or pool name as interface or service-set you will receive the following error message: syntax error, expecting <data>.

  • If there is a source NAT rule named interface, the rule cannot be viewed using the show security nat source rule interface command.

  • If there is a source NAT rule named service-set, the rule cannot be viewed using the show security nat source rule service-set command.

  • If there is a source NAT pool named interface, the pool cannot be viewed using the show security nat source pool interface command.

  • If there is a source NAT pool named service-set, the pool cannot be viewed using the show security nat source pool service-set command.

  • If there is a source NAT pool named interface, the paired-address cannot be viewed using the show security nat source paired-address pool-name interface command.

  • If there is a source NAT pool named service-set, the paired-address cannot be viewed using the show security nat source paired-address pool-name service-set command.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security nat source pool src-nat-pool-1 address 192.0.2.1/32 to 192.0.2.24/32 
set security nat source pool src-nat-pool-2 address 192.0.2.100/32 to 192.0.2.249/32 
set security nat source pool src-nat-pool-2 port no-translation 
set security nat source rule-set rs1 from zone trust 
set security nat source rule-set rs1 to zone untrust 
set security nat source rule-set rs1 rule r1 match source-address 10.1.1.0/24 
set security nat source rule-set rs1 rule r1 match source-address 10.1.2.0/24 
set security nat source rule-set rs1 rule r1 match destination-address 0.0.0.0/0 
set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1 
set security nat source rule-set rs1 rule r2 match source-address 192.168.1.250/32 
set security nat source rule-set rs1 rule r2 match destination-address 0.0.0.0/0 
set security nat source rule-set rs1 rule r2 then source-nat off 
set security nat source rule-set rs1 rule r3 match source-address 192.168.1.0/24 
set security nat source rule-set rs1 rule r3 match destination-address 0.0.0.0/0 
set security nat source rule-set rs1 rule r3 then source-nat pool src-nat-pool-2 
set security nat proxy-arp interface ge-0/0/0.0 address 192.0.2.1/32 to 192.0.2.24/32 
set security nat proxy-arp interface ge-0/0/0.0 address 192.0.2.100/32 to 192.0.2.249/32 
set security policies from-zone trust to-zone untrust policy internet-access match source-address any 
set security policies from-zone trust to-zone untrust policy internet-access match destination-address any 
set security policies from-zone trust to-zone untrust policy internet-access match application any 
set security policies from-zone trust to-zone untrust policy internet-access then permit
Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure multiple source NAT rules in a rule set:

  1. Create a source NAT pool.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set pool src-nat-pool-1 address 192.0.2.1 to 192.0.2.24
    
  2. Create a source NAT pool with no port translation.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set pool src-nat-pool-2 address 192.0.2.100 to 192.0.2.249
    user@host# set pool src-nat-pool-2 port no-translation
    
    Note:

    To configure an overflow pool for src-nat-pool-2 using the egress interface:

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set pool src-nat-pool-2 overflow-pool interface
    
  3. Create a source NAT rule set.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 from zone trust
    user@host# set rule-set rs1 to zone untrust
    
  4. Configure a rule that matches packets and translates the source address to an address in the pool.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 rule r1 match source-address [10.1.1.0/24 10.1.2.0/24]
    user@host# set rule-set rs1 rule r1 match destination-address 0.0.0.0/0
    user@host# set rule-set rs1 rule r1 then source-nat pool src-nat-pool-1
    
  5. Configure a rule to match packets for which the source address is not translated.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 rule r2 match source-address 192.168.1.250/32
    user@host# set rule-set rs1 rule r2 match destination-address 0.0.0.0/0
    user@host# set rule-set rs1 rule r2 then source-nat off
    
  6. Configure a rule to match packets and translate the source address to an address in the pool with no port translation.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 rule r3 match source-address 192.168.1.0/24
    user@host# set rule-set rs1 rule r3 match destination-address 0.0.0.0/0
    user@host# set rule-set rs1 rule r3 then source-nat pool src-nat-pool-2
    
  7. Configure proxy ARP.

    content_copy zoom_out_map
    [edit security nat]
    user@host# set proxy-arp interface ge-0/0/0.0 address 192.0.2.1 to 192.0.2.24
    user@host# set proxy-arp interface ge-0/0/0.0 address 192.0.2.100 to 192.0.2.249
    
  8. Configure a security policy that allows traffic from the trust zone to the untrust zone.

    content_copy zoom_out_map
    [edit security policies from-zone trust to-zone untrust]
    user@host# set policy internet-access match source-address any destination-address any application any
    user@host# set policy internet-access then permit
    
Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security nat
source {
    pool src-nat-pool-1 {
        address {
            192.0.2.1/32 to 192.0.2.24/32;
        }
    }
    pool src-nat-pool-2 {
        address {
            192.0.2.100/32 to 192.0.2.249/32;
        }
        port no-translation;
    }
    rule-set rs1 {
        from zone trust;
        to zone untrust;
        rule r1 {
            match {
                source-address [ 10.1.1.0/24 10.1.2.0/24 ];
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    pool {
                        src-nat-pool-1;
                    }
                }
            }
        }
        rule r2 {
            match {
                source-address 192.168.1.250/32;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    off;
                }
            }
        }
        rule r3 {
            match {
                source-address 192.168.1.0/24;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    pool {
                        src-nat-pool-2;
                    }
                }
            }
        }
    }
}
    proxy-arp {
        interface ge-0/0/0.0 {
            address {
                192.0.2.1/32 to 192.0.2.24/32;
                192.0.2.100/32 to 192.0.2.249/32;
            }
        }
    }
user@host# show security policies
from-zone trust to-zone untrust {
    policy internet-access {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the source NAT pool.

Action

From operational mode, enter the show security nat source pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Understanding Source NAT Pools

A NAT pool is a user-defined set of IP addresses that are used for translation. Unlike static NAT, where there is a one-to-one mapping that includes destination IP address translation in one direction and source IP address translation in the reverse direction, with source NAT, you translate the original source IP address to an IP address in the address pool.

For source Network Address Translation (NAT) address pools, specify the following:

  • Name of the source NAT address pool.

  • Up to 64 address ranges.

    Note:

    Do not overlap NAT addresses for source NAT, destination NAT, and static NAT within one routing instance.

  • Routing instance—Routing instance to which the pool belongs (the default is the main inet.0 routing instance).

  • Port —The Port Address Translation (PAT) for a source pool. By default, PAT is performed with source NAT. If you specify the no-translation option, the number of hosts that the source NAT pool can support is limited to the number of addresses in the pool. If you specify block-allocation, a block of ports is allocated for translation, instead of individual ports being allocated. If you specify deterministic, an incoming (source) IP address and port always map to the specific destination address and port block, based on predefined, deterministic NAT algorithm. If you specify port-overloading, you can configure the port overloading capacity in source NAT. If you specify range, you can provide the port number range attached to each address in the pool, and the twin port range for source NAT pools.

  • Overflow pool (optional)—Packets are dropped if there are no addresses available in the designated source NAT pool. To prevent that from happening when the port no-translation option is configured, you can specify an overflow pool. Once addresses from the original source NAT pool are exhausted, IP addresses and port numbers are allocated from the overflow pool. A user-defined source NAT pool or an egress interface can be used as the overflow pool. (When the overflow pool is used, the pool ID is returned with the address.)

  • IP address shifting (optional)—A range of original source IP addresses can be mapped to another range of IP addresses, or to a single IP address, by shifting the IP addresses. Specify the host-address-base option with the base address of the original source IP address range.

  • Address sharing (optional)—Multiple internal IP addresses can be mapped to the same external IP address. This option can be used only when the source NAT pool is configured with no port translation. Specify the address-shared option when a source NAT pool has few external IP addresses available, or only one external IP address. With a many-to-one mapping, use of this option increases NAT resources and improves traffic.

  • Address pooling (optional)— Address pooling can be configured as paired or no-paired. Specify address-pooling paired for applications that require all sessions associated with one internal IP address to be mapped to the same external IP address for the duration of a session. This differs from the persistent-address option, in which the same internal address is translated to the same external address every time. Specify address-pooling no-paired for applications that can be can be assigned IP addresses in a round-robin fashion. If either address-pooling paired or address-pooling no-paired is configured for a source NAT pool with PAT, the persistent address option is disabled. If address-shared is configured on a source NAT pool without PAT, then the persistent-address option is enabled. Both address-shared and address-pooling paired can be configured on the same source NAT pool without PAT.

  • Pool utilization alarm (optional)— When the raise-threshold option is configured for source NAT, an SNMP trap is triggered if the source NAT pool utilization rises above this threshold. If the optional clear-threshold option is configured, an SNMP trap is triggered if the source NAT pool utilization drops below this threshold. If clear-threshold is not configured, it is set by default to 80 percent of the raise-threshold value.

You can use the show security nat resource usage source pool command to view address use in a source NAT pool without PAT, and to view port use in a source NAT pool with PAT.

Understanding Source NAT Pool Capacities

Maximum capacities for source pools and IP addresses on SRX300, SRX320, SRX340, SRX345 and SRX650 devices are as follows:

Pool/PAT Maximum Address Capacity

SRX300SRX320

SRX340SRX345

SRX650

Source NAT pools

1024

2048

1024

IP addresses supporting port translation

1024

2048

1024

PAT port number

64M

64M

64M

Maximum capacities for source pools and IP addresses on SRX1400, SRX1500, SRX3400, SRX3600, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices are as follows:

Pool/PAT Maximum Address Capacity

SRX1400SRX1500

SRX3400SRX3600

SRX4100SRX4200

SRX5400SRX5600SRX5800

Source NAT pools

8192

10,240

10,240

12,288

IP addresses supporting port translation

8192

12,288

12,288

1M

PAT port number

256M

384M

384M

384M

Note:

In Release 12.3X48-D40, and in Release 15.1X49-D60 and later releases, you can increase the source NAT port capacity to 2.4G on SRX5400, SRX5600, and SRX5800 devices with next-generation Services Processing Cards (SPCs) using the port-scaling-enlargement statement at the [edit security nat source] hierarchy level supported .

Note:

Platform support depends on the Junos OS release in your installation.

Increasing the total number of IP addresses used for source NAT, either by increasing the number of pools in the configuration and/or by increasing the capacity or IP-addresses per pool, consumes memory needed for port allocation. When source NAT pool and IP address limits are reached, port ranges should be reassigned. That is, the number of ports for each IP address should be decreased when the number of IP addresses and source NAT pools is increased. This ensures NAT does not consume too much memory.

For example, in a source NAT pool for SRX5000 devices, when the number of IP addresses supporting port translation reaches the limit of 1M, the total number of PAT ports is 64G, which exceeds the 384M limitation. This is because, by default, each IP address supports 64,512 ports. To ensure that PAT port numbers are within capacity, the port range for each IP needs to be configured to decrease the total number of PAT ports.

Use the range and range twin-port options at the [edit security nat source pool port] hierarchy level to assign a new port range or twin port range for a specific pool. Use the pool-default-port-range and the pool-default-twin-port-range options at the [edit security nat source] hierarchy level to specify the global default port range or twin port range for all source NAT pools.

Configuring port overloading should also be done carefully when source NAT pools are increased.

For a source pool with PAT in range (63,488 through 65,535), two ports are allocated at one time for RTP/RTCP applications, such as SIP, H.323, and RTSP. In these scenarios, each IP address supports PAT, occupying 2048 ports (63,488 through 65,535) for ALG module use.

Understanding Persistent Addresses for Source NAT Pools

By default, port address translation is performed with source NAT. However, an original source address may not be translated to the same IP address for different traffic that originates from the same host. The source NAT address-persistent option ensures that the same IP address is assigned from the source NAT pool to a specific host for multiple concurrent sessions.

This option differs from the address-pooling paired option, where the internal address is mapped to an external address within the pool on a first-come, first-served basis, and might be mapped to a different external address for each session.

Example: Configuring Capacity for Source NAT Pools with PAT

This example describes how to configure the capacity of source NAT pools with Port Address Translation (PAT) if a default port range is not set or you want to override it. Translations are set for each IP address. When the source pool is increased, ports should be reassigned if the current port number exceeds limitations.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces User Guide for Security Devices.

  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example shows how to configure a PAT pool of 2048 IP addresses with 32,000 ports for each IP address.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
[edit security nat source]
set pool src-nat-pat-addr address 192.168.0.0/32 to 192.168.3.255/32
set pool src-nat-pat-addr address 192.168.4.0/32 to 192.168.7.255/32
set pool-default-port-range 2001 
set pool-default-port-range to 32720
Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure capacity for a source NAT pool with PAT:

  1. Specify a source NAT pool with PAT and an IP address range.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set pool src-nat-pat-addr address 192.168.0.0/32 to 192.168.3.255/32
    user@host#set pool src-nat-pat-addr address 192.168.4.0/32 to 192.168.7.255/32
    
  2. Specify a default port range for the source pool.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set pool-default-port-range 2001
    user@host# set pool-default-port-range to 32720
    
Results

From configuration mode, confirm your configuration by entering the show security nat-source-summary command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
user@host> run show security nat source summary
Total port number usage for port translation pool: 16515072
Maximum port number for port translation pool: 134217728
Total pools: 1

Pool Address Routing PAT Total Name Range Instance Address pool2 203.0.113.1 - 203.0.113.3 default yes 2048
Name Range Instance Address
pool1 198.51.100.0 - 198.51.100.255 default yes 256

Total rules: 1
Rule name Rule set From To Action
rule 1 ruleset1 ge-2/2/2.0 ge-2/2/3.0 pool1
rule 1 ge-2/2/4.0 ge-2/2/5.0

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Capacity of Source NAT Pools

Purpose

View port and pool information. Port limitations are automatically checked, so the configuration will not be committed if port limitations are exceeded.

Action

From operational mode, enter the show security nat source summary command to view port and pool details.

Understanding Source NAT Pools with Address Pooling

When a host initiates several sessions that match a policy that requires NAT, and is assigned an IP address from a source pool that has port address translation enabled, a different source IP address is used for each session.

Because some applications require the same source IP address for each session, you can use the address-pooling paired feature to enable all sessions associated with one internal IP address to map to the same external IP address for the duration of the sessions. When the sessions end, the mapping between the internal IP address and the external IP address ceases. The next time the host initiates a session, a different IP address from the pool might be assigned to it.

This differs from the source NAT address-persistent feature, which keeps the mapping static; the same internal IP address is mapped to the same external IP address every time. It also differs from the address-persistent feature in that address-pooling paired is configured for a specific pool. The address-persistent feature is a global configuration that applies to all source pools.

Understanding Source NAT Pools with Address Shifting

The match conditions for a source NAT rule set do not allow you to specify an address range; only address prefixes may be specified in a rule. When configuring a source NAT pool, you can specify the host-base-address option; this option specifies the IP address where the original source IP address range begins.

The range of original source IP addresses that are translated is determined by the number of addresses in the source NAT pool. For example, if the source NAT pool contains a range of ten IP addresses, then up to ten original source IP addresses can be translated, starting with a specified base address. This type of translation is one-to-one, static, and without port address translation.

The match condition in a source NAT rule may define a larger address range than that specified in the source NAT pool. For example, a match condition might specify an address prefix that contains 256 addresses, but the source NAT pool might contain a range of only a few IP addresses, or only one IP address. A packet’s source IP address can match a source NAT rule, but if the source IP address is not within the address range specified in the source NAT pool, the source IP address is not translated.

Example: Configuring Source NAT Pools with Address Shifting

This example describes how to configure a source NAT mapping of a private address range to public addresses, with optional address shifting. This mapping is one-to-one between the original source IP addresses and translated IP addresses.

Note:

The match conditions for a source NAT rule set do not allow you to specify an address range; only address prefixes may be specified in a rule. When configuring a source NAT pool, you can specify the host-base-address option; this option specifies the IP address where the original source IP address range begins, and disables port translation.

The range of original source IP addresses that are translated is determined by the number of addresses in the source NAT pool. For example, if the source NAT pool contains a range of ten IP addresses, then up to ten original source IP addresses can be translated, starting with a specified base address.

The match condition in a source NAT rule may define a larger address range than that specified in the source NAT pool. For example, a match condition might specify an address prefix that contains 256 addresses, but the source NAT pool contains a range of only ten IP addresses. A packet’s source IP address can match a source NAT rule, but if the source IP address is not within the address range specified in the source NAT pool, the source IP address is not translated.

Requirements

Before you begin:

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 6, a range of private addresses in the trust zone is mapped to a range of public addresses in the untrust zone. For packets sent from the trust zone to the untrust zone, a source IP address in the range of 192.168.1.10/32 through 192.168.1.20/32 is translated to a public address in the range of 203.0.113.30/32 through 203.0.113.40/32.

Figure 6: Source NAT with Address ShiftingSource NAT with Address Shifting

This example describes the following configurations:

  • Source NAT pool src-nat-pool-1 that contains the IP address range 203.0.113.30/32 through 203.0.113.40/32. For this pool, the beginning of the original source IP address range is 192.168.1.10/32 and is specified with the host-address-base option.

  • Source NAT rule set rs1 with rule r1 to match packets from the trust zone to the untrust zone with a source IP address in the 192.168.1.0/24 subnet. For matching packets that fall within the source IP address range specified by the src-nat-pool-1 configuration, the source address is translated to the IP address in src-nat-pool-1 pool.

  • Proxy ARP for the addresses 203.0.113.30/32 through 203.0.113.40/32 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for that address.

  • Security policies to permit traffic from the trust zone to the untrust zone.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security nat source pool src-nat-pool-1 address 203.0.113.30/32 to 203.0.113.40/32 
set security nat source pool src-nat-pool-1 host-address-base 192.168.1.10/32 
set security nat source rule-set rs1 from zone trust 
set security nat source rule-set rs1 to zone untrust 
set security nat source rule-set rs1 rule r1 match source-address 192.168.1.0/24 
set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1 
set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.30/32 to 203.0.113.40/32 
set security policies from-zone trust to-zone untrust policy internet-access match source-address any 
set security policies from-zone trust to-zone untrust policy internet-access match destination-address any 
set security policies from-zone trust to-zone untrust policy internet-access match application any 
set security policies from-zone trust to-zone untrust policy internet-access then permit
Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a source NAT mapping with address shifting:

  1. Create a source NAT pool.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set pool src-nat-pool-1 address 203.0.113.30/32 to 203.0.113.40/32
    
  2. Specify the beginning of the original source IP address range.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set pool src-nat-pool-1 host-address-base 192.168.1.10/32
    
  3. Create a source NAT rule set.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 from zone trust
    user@host# set rule-set rs1 to zone untrust
    
  4. Configure a rule that matches packets and translates the source address to an address in the pool.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 rule r1 match source-address 192.168.1.0/24
    user@host# set rule-set rs1 rule r1 then source-nat pool src-nat-pool-1
    
  5. Configure proxy ARP.

    content_copy zoom_out_map
    [edit security nat]
    user@host# set proxy-arp interface ge-0/0/0.0 address 203.0.113.30/32 to 203.0.113.40/32
    
  6. Configure a security policy that allows traffic from the trust zone to the untrust zone.

    content_copy zoom_out_map
    [edit security policies from-zone trust to-zone untrust]
    user@host# set policy internet-access match source-address any destination-address any application any
    user@host# set policy internet-access then permit
    
Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security nat
source {
    pool src-nat-pool-1 {
        address {
            203.0.113.30/32 to 203.0.113.40/32;
        }
        host-address-base 192.168.1.10/32;
    }
    rule-set rs1 {
        from zone trust;
        to zone untrust;
        rule r1 {
            match {
                source-address 192.168.1.0/24;
            }
            then {
                source-nat {
                    pool {
                        src-nat-pool-1;
                    }
                }
            }
        }
    }
}
    proxy-arp {
        interface ge-0/0/0.0 {
            address {
                203.0.113.30/32 to 203.0.113.40/32;
            }
        }
    }
user@host# show security policies
from-zone trust to-zone untrust {
    policy internet-access {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the source NAT pool.

Action

From operational mode, enter the show security nat source pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Understanding Source NAT Pools with PAT

Using the source pool with Port Address Translation (PAT), Junos OS translates both the source IP address and the port number of the packets. When PAT is used, multiple hosts can share the same IP address.

Junos OS maintains a list of assigned port numbers to distinguish what session belongs to which host. When PAT is enabled, up to 63,488 hosts can share a single IP address. Each source pool can contain multiple IP addresses, multiple IP address ranges, or both. For a source pool with PAT, Junos OS may assign different addresses to a single host for different concurrent sessions, unless the source pool or Junos OS has the persistent address feature or the paired address pooling feature enabled.

For interface source pool and source pool with PAT, range (1024, 65535) is available for port number mapping per IP address. Within range (1024, 63487) one port is allocated at a time, for a total of 62,464 ports. In range (63488, 65535), two ports are allocated at a time for RTP/RTCP applications such as SIP, H.323, and RTSP, for a total of 2,048 ports.

When a host initiates several sessions that match a policy that requires network address translation and is assigned an address from a source pool that has PAT enabled, the device assigns a different source IP address for each session. Such random address assignment can be problematic for services that create multiple sessions that require the same source IP address for each session. For example, it is important to have the same IP address for multiple sessions when using the AOL Instant Message (AIM) client.

To ensure that the router assigns the same IP address from a source pool to a host for multiple concurrent sessions, you can enable a persistent IP address per router. To ensure that the device assigns the same IP address from a source pool to a host for the duration of a single session, you can enable paired address pooling.

Example: Configuring Source NAT for Multiple Addresses with PAT

This example describes how to configure a source NAT mapping of a private address block to a smaller public address block using port address translation.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces User Guide for Security Devices.

  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 7, the source IP address in packets sent from the trust zone to the untrust zone is mapped to a smaller block of public addresses in the range from 203.0.113.1/32 through 203.0.113.24/32. Because the size of the source NAT address pool is smaller than the number of potential addresses that might need to be translated, port address translation is used.

Note:

Port address translation includes a source port number with the source IP address mapping. This allows multiple addresses on a private network to map to a smaller number of public IP addresses. Port address translation is enabled by default for source NAT pools.

Figure 7: Source NAT Multiple Addresses with PATSource NAT Multiple Addresses with PAT

This example describes the following configurations:

  • Source NAT pool src-nat-pool-1 that contains the IP address range 203.0.113.1/32 through 203.0.113.24/32.

  • Source NAT rule set rs1 to match all packets from the trust zone to the untrust zone. For matching packets, the source IP address is translated to an IP address in the src-nat-pool-1 pool.

  • Proxy ARP for the addresses 203.0.113.1/32 through 203.0.113.24/32 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for those addresses.

  • Security policies to permit traffic from the trust zone to the untrust zone.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security nat source pool src-nat-pool-1 address 203.0.113.1/32 to  203.0.113.24/32 
set security nat source rule-set rs1 from zone trust 
set security nat source rule-set rs1 to zone untrust 
set security nat source rule-set rs1 rule r1 match source-address 10.1.1.0/24
set security nat source rule-set rs1 rule r1 match source-address 10.1.2.0/24
set security nat source rule-set rs1 rule r1 match source-address 192.168.1.0/24
set security nat source rule-set rs1 rule r1 match destination-address 0.0.0.0/0 
set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1 
set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.1/32 to  203.0.113.24/32
set security policies from-zone trust to-zone untrust policy internet-access match source-address any 
set security policies from-zone trust to-zone untrust policy internet-access match destination-address any 
set security policies from-zone trust to-zone untrust policy internet-access match application any 
set security policies from-zone trust to-zone untrust policy internet-access then permit
Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a source NAT mapping from a private address block to a smaller public address block using PAT:

  1. Create a source NAT pool.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set pool src-nat-pool-1 address 203.0.113.1 to 203.0.113.24
    
  2. Create a source NAT rule set.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 from zone trust
    user@host# set rule-set rs1 to zone untrust
    
  3. Configure a rule that matches packets and translates the source address to an address in the pool.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 rule r1 match source-address [10.1.1.0/24 10.1.2.0/24 192.168.1.0/24]
    user@host# set rule-set rs1 rule r1 match destination-address 0.0.0.0/0
    user@host# set rule-set rs1 rule r1 then source-nat pool src-nat-pool-1
    
  4. Configure proxy ARP.

    content_copy zoom_out_map
    [edit security nat]
    user@host# set proxy-arp interface ge-0/0/0.0 address 203.0.113.1 to 203.0.113.24
    
  5. Configure a security policy that allows traffic from the trust zone to the untrust zone.

    content_copy zoom_out_map
    [edit security policies from-zone trust to-zone untrust]
    user@host# set policy internet-access match source-address any destination-address any application any
    user@host# set policy internet-access then permit
    
Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security nat
source {
    pool src-nat-pool-1 {
        address {
            203.0.113.1/32 to 203.0.113.24/32;
        }
    }
    rule-set rs1 {
        from zone trust;
        to zone untrust;
        rule r1 {
            match {
                source-address [10.1.1.0/24 10.1.2.0/24 192.168.1.0/24];
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    pool {
                        src-nat-pool-1;
                    }
                }
            }
        }
    }
}
proxy-arp {
    interface ge-0/0/0.0 {
        address {
            203.0.113.1/32 to 203.0.113.24/32;
        }
    }
}
user@host# show security policies
from-zone trust to-zone untrust {
    policy internet-access {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the source NAT pool.

Action

From operational mode, enter the show security nat source pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Understanding Source NAT Pools Without PAT

When you define a source pool, Junos OS enables PAT by default. To disable PAT, you must specify no port translation when you are defining a source pool.

When using a source pool without PAT, Junos OS performs source Network Address Translation for the IP address without performing PAT for the source port number. For applications that require that a particular source port number remain fixed, you must use source pool without PAT.

The source pool can contain multiple IP addresses, multiple IP address ranges, or both. For source pool without PAT, Junos OS assigns one translated source address to the same host for all its concurrent sessions unless the address-pooling no-paired option is enabled.

The number of hosts that a source NAT pool without PAT can support is limited to the number of addresses in the pool. When you have a pool with a single IP address, only one host can be supported, and traffic from other hosts is blocked because there are no resources available. If a single IP address is configured for a source NAT pool without PAT when NAT resource assignment is not in active-backup mode in a chassis cluster, traffic through node 1 will be blocked.

Pool utilization for each source pool without PAT is computed. You can turn on pool utilization alarm by configuring alarm thresholds. An SNMP trap is triggered every time pool utilization rises above a threshold and goes below a threshold.

Note:

If a static NAT rule is for one-to-one IP translation, avoid dividing the rule into a destination rule and a source rule when source no-pat pool without address sharing is used. If you choose to divide the rule, you will then have to use source pat-pool with single IP or source no-pat pool with multiple IP.

Example: Configuring a Single IP Address in a Source NAT Pool Without PAT

This example describes how to configure a private address block to a single public address in a source NAT pool without Port Address Translation.

Note:

PAT is enabled by default for source NAT pools. When PAT is disabled, the number of translations that the source NAT pool can concurrently support is limited to the number of addresses in the pool. Packets are dropped if there are no addresses available in the source NAT pool. However, using the address-shared option, you can map more that one private IP address to a single public IP address as long as the traffic is from different source ports.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces User Guide for Security Devices.

  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. The source IP address of packets sent from the trust zone to the untrust zone are mapped to a single public address.

This example describes the following configurations:

  • Source NAT pool src-nat-pool-1 that contains the IP address 203.0.113.1/30. The port no-translation option and the address shared option are specified for the pool.

  • Source NAT rule set rs1 to match all packets from the trust zone to the untrust zone. For matching packets, the source IP address is translated to an IP address in the src-nat-pool-1 pool.

  • Security policies to permit traffic from the trust zone to the untrust zone.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security nat source pool src-nat-pool-1 address 203.0.113.1/30 
set security nat source pool src-nat-pool-1 port no-translation 
set security nat source pool-src-nat-pool-1 address-shared 
set security nat source rule-set rs1 from zone trust
set security nat source rule-set rs1 to zone untrust
set security nat source rule-set rs1 rule1 match source address 192.0.2.0/24
set security nat source rule-set rs1 rule r1 then source src-nat-pool-1
Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a source NAT mapping from a private address block to a single public address without PAT:

  1. Create a source NAT pool with a single IP address for the shared address.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set pool src-nat-pool-1 address 203.0.113.1/30
    

    Specify the port no-translation option.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set pool src-nat-pool-1 port no-translation
    
  2. Specify the address-shared option.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set pool pool-src-nat-pool-1 address-shared 
    
  3. Create a source NAT rule set.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 from zone trust
    user@host# set rule-set rs1 to zone untrust
    
  4. Configure a rule that matches packets and translates the source address to an address in the pool.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 rule r1 match source-address 192.0.2.0/24
    user@host# set rule-set rs1 rule r1 then source-nat pool src-nat-pool-1
    
  5. Configure a security policy that allows traffic from the trust zone to the untrust zone.

    content_copy zoom_out_map
    [edit security policies from-zone trust to-zone untrust]
    user@host# set policy internet-access match source-address any destination-address any application any
    user@host# set policy internet-access then permit
    
Results

From configuration mode, confirm your configuration by entering the show security nat source pool and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security nat
source {
    pool src-nat-pool-1 {
        address {
            203.0.113.1/30
        }
        port no-translation;
    }
    address-shared;
    rule-set rs1 {
        from zone trust;
        to zone untrust;
        rule r1 {
            match {
                source-address [192.0.2.0/24]
            }
            then {
                source-nat {
                    pool {
                        src-nat-pool-1;
                    }
                }
            }
        }
    }
}
user@host# show security policies
from-zone trust to-zone untrust {
    policy internet-access {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Shared Address

Purpose

Verify that two internal IP addresses, with different source ports, share one external IP address.

Action

From operational mode, enter the show security nat source pool command. View the Address assignment field to verify that it is shared.

Verifying Shared Address Application to Traffic

Purpose

Verify that two sessions are using the same IP address.

Action

From operational mode, enter the show security flow session command.

Example: Configuring Multiple Addresses in a Source NAT Pool Without PAT

This example describes how to configure a source NAT mapping of a private address block to a smaller public address block without port address translation.

Note:

Port address translation is enabled by default for source NAT pools. When port address translation is disabled, the number of translations that the source NAT pool can concurrently support is limited to the number of addresses in the pool. Packets are dropped if there are no addresses available in the source NAT pool. You can optionally specify an overflow pool from which IP addresses and port numbers are allocated when there are no addresses available in the original source NAT pool.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces User Guide for Security Devices.

  2. Create security zones and assign interfaces to them. See Understanding Security Zones.

Overview

This example uses the trust security zone for the private address space and the untrust security zone for the public address space. In Figure 8, the source IP address in packets sent from the trust zone to the untrust zone is mapped to a smaller block of public addresses in the range from 203.0.113.1/32 through 203.0.113.24/32.

Figure 8: Source NAT Multiple Addresses Without PATSource NAT Multiple Addresses Without PAT

This example describes the following configurations:

  • Source NAT pool src-nat-pool-1 that contains the IP address range 203.0.113.1/32 through 203.0.113.24/32. The port no-translation option is specified for the pool.

  • Source NAT rule set rs1 to match all packets from the trust zone to the untrust zone. For matching packets, the source IP address is translated to an IP address in the src-nat-pool-1 pool.

  • Proxy ARP for the addresses 203.0.113.1/32 through 203.0.113.24/32 on interface ge-0/0/0.0. This allows the Juniper Networks security device to respond to ARP requests received on the interface for those addresses.

  • Security policies to permit traffic from the trust zone to the untrust zone.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security nat source pool src-nat-pool-1 address 203.0.113.1/32 to 203.0.113.24/32 
set security nat source pool src-nat-pool-1 port no-translation 
set security nat source rule-set rs1 from zone trust 
set security nat source rule-set rs1 to zone untrust 
set security nat source rule-set rs1 rule r1 match source-address 0.0.0.0/0 
set security nat source rule-set rs1 rule r1 match destination-address 0.0.0.0/0 
set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1 
set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.1/32 to 203.0.113.24/32 
set security policies from-zone trust to-zone untrust policy internet-access match source-address any 
set security policies from-zone trust to-zone untrust policy internet-access match destination-address any 
set security policies from-zone trust to-zone untrust policy internet-access match application any 
set security policies from-zone trust to-zone untrust policy internet-access then permit
Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a source NAT mapping from a private address block to a smaller public address block without PAT:

  1. Create a source NAT pool.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set pool src-nat-pool-1 address 203.0.113.1 to 203.0.113.24
    
  2. Specify the port no-translation option.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set pool src-nat-pool-1 port no-translation
    
  3. Create a source NAT rule set.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 from zone trust
    user@host# set rule-set rs1 to zone untrust
    
  4. Configure a rule that matches packets and translates the source address to an address in the pool.

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set rule-set rs1 rule r1 match source-address 0.0.0.0/0
    user@host# set rule-set rs1 rule r1 match destination-address 0.0.0.0/0
    user@host# set rule-set rs1 rule r1 then source-nat pool src-nat-pool-1
    
  5. Configure proxy ARP.

    content_copy zoom_out_map
    [edit security nat]
    user@host# set proxy-arp interface ge-0/0/0.0 address 203.0.113.1 to 203.0.113.24
    
  6. Configure a security policy that allows traffic from the trust zone to the untrust zone.

    content_copy zoom_out_map
    [edit security policies from-zone trust to-zone untrust]
    user@host# set policy internet-access match source-address any destination-address any application any
    user@host# set policy internet-access then permit
    
Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security nat
source {
    pool src-nat-pool-1 {
        address {
            203.0.113.1/32 to 203.0.113.24/32;
        }
        port no-translation;
    }
    rule-set rs1 {
        from zone trust;
        to zone untrust;
        rule r1 {
            match {
                source-address 0.0.0.0/0;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    pool {
                        src-nat-pool-1;
                    }
                }
            }
        }
    }
}
    proxy-arp {
        interface ge-0/0/0.0 {
            address {
                203.0.113.1/32 to 203.0.113.24/32;
            }
        }
    }
user@host# show security policies
from-zone trust to-zone untrust {
    policy internet-access {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Source NAT Pool Usage

Purpose

Verify that there is traffic using IP addresses from the source NAT pool.

Action

From operational mode, enter the show security nat source pool all command. View the Translation hits field to check for traffic using IP addresses from the pool.

Verifying Source NAT Rule Usage

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. View the Translation hits field to check for traffic that matches the rule.

Verifying NAT Application to Traffic

Purpose

Verify that NAT is being applied to the specified traffic.

Action

From operational mode, enter the show security flow session command.

Understanding Shared Addresses in Source NAT Pools without PAT

Source NAT pools with no port address translation perform static, one-to-one mappings from one source IP address to one external IP address. When there is only one external IP address, or very few available in a source no-pat pool , the address-shared option enables you to map many source IP addresses to one external IP address as long as the traffic comes from different source ports.

For example, if there is a source NAT pool with no port translation containing only two IP addresses, IP 1 and IP 2, when a packet arrives from

  1. Source IP 1, port 1, it is translated to IP 1, port 1.

  2. Source IP 2, port 2, it is translated to IP 2, port 2.

  3. Source IP 3, port 1, it is translated to IP 2, port 1. (It cannot be translated to IP 1 port 1 because that port is already used.

    However, if another packet arrives from Source IP 3, port 1 for a different destination IP and port, it cannot be translated to IP 1, port 1 or IP 2, port 1 because port 1 is already used for both available IP addresses. The session will fail.

This option increases NAT resources and improves the possibility of setting up successful translated traffic. It cannot be used on source NAT pools with port address translation because address sharing is already their default behavior.

Understanding NAT Session Persistence

Network Address Translation (NAT) session persistence provides a means to retain existing sessions, instead of clearing them, when there changes in the NAT configuration. If session persistence is enabled, the retained sessions continue to process and forward packets as time and resources are optimally used to rebuild the impacted sessions. Thus, packet forwarding does not stop even if the NAT configuration is changed for some or all sessions.

From Junos OS Release 18.3R1 onward, with the support for NAT session persistence, the Packet Forwarding Engine scans the sessions and decides whether to keep the sessions or clear the sessions. In releases before Junos OS Release 18.3R1, the NAT sessions are cleared if there is a change in the NAT configuration.

The Packet Forwarding Engine performs the following two types of scans to decide whether to retain or drop sessions:

  • Source NAT pool session persistence scan—The Packet Forwarding Engine compares the existing session IP address with source pool address range. If the existing session IP address is in the specified source pool address range, the session is kept alive, otherwise the session is cleared.

  • Source NAT rule session persistence scan—The Packet Forwarding Engine uses the rule ID to compare the source IP address, source port, destination IP address, and destination port between the old and new configurations. If the new and old configurations are the same, then the session is kept alive, otherwise the session is cleared.

Note:
  • NAT session persistence is not supported for static NAT and destination NAT.

  • NAT session persistence is not supported if the PAT pool is configured with the address persistent, address pooling paired, source address-persistent, port block allocation, port deterministic, persistent nat, and port overloading factor fields.

NAT session persistence is supported only for source NAT in the following scenarios:

  • Source pool—Change in an address range in a Port Address Translation (PAT) pool.

  • Source rule—Change in match conditions for the address book, application, destination IP address, destination port, source IP address, and destination port information.

To enable the NAT session persistence scanning, include the session-persistence-scan statement at the [edit security nat source] hierarchy level.

You can also configure a timeout value to retain the sessions for the specified time period by using the set security nat source session-drop-hold-down CLI command. The value of the session-drop-hold-down option ranges from 30 through 28,800 seconds (eight hours). The session expires after the configured timeout period.

Limitations of NAT Session Persistence

  • When there is a change in IP addresses in the NAT source pool, the newly configured IP addresses are appended to the NAT source pool. After the NAT source pool is rebuilt, the new IP addresses are not the same as the existing IP addresses. The differences in the IP addresses in the NAT source pool impacts the round-robin mode of picking IP addresses from the NAT source pool.

  • If the scan types identify sessions that will never be timed out (that is, the sessions for which the session-drop-hold-down value is not configured or is configured as 8 hours), then the Packet Forwarding Engine ignores those sessions, and the sessions are retained.

Configure Port Block Allocation Size

Before you begin:

You can configure secured port block allocation, which allocates blocks of ports to a NAT subscriber. With port block allocation, we generate one syslog log per set of ports allocated for a subscriber. Use this procedure to configure the port block allocation size.

  1. Configure the IPv4 addresses.
    content_copy zoom_out_map
    user@host# set security nat source pool root_src_v4_pat address 200.0.0.1/32 to 200.16.0.0/32
    
  2. Configure the starting and ending port value.
    content_copy zoom_out_map
    user@host# set security nat source pool root_src_v4_pat port range 61044
    user@host# set security nat source pool root_src_v4_pat port range to 63500
    
  3. Configure the port block allocation size.
    content_copy zoom_out_map
    user@host# set security nat source pool root_src_v4_pat port block-allocation block-size 8
    

    If you configure the port block allocation size lesser than 8 on SRX5400, SRX5600, and SRX5800, the system displays the warning message warning: To save system memory, the block size is recommended to be no less than 8.

    Starting in Junos OS Release 20.3R1, you can configure the port block allocation size on SRX300, SRX320, SRX340, SRX345, SRX380, SRX550HM, SRX1500, SRX4100, SRX4200, and SRX4600. To save system memory, the recommended port block allocation size is 64. If you configure the port block allocation size lesser than 64, the system displays the warning message warning: To save system memory, the block size is recommended to be no less than 64.

  4. Configure the interim log interval time.
    content_copy zoom_out_map
    user@host#set security nat source pool root_src_v4_pat port block-allocation interim-logging-interval 1800
    
  5. Configure the last port block timeout value.
    content_copy zoom_out_map
    user@host#set security nat source pool root_src_v4_pat port block-allocation last-block-recycle-timeout 120
    
  6. Commit the configuration
    content_copy zoom_out_map
    user@host#commit
    2020-05-14 19:56:33.758167 CST: Running FIPS Self-tests 
    Veriexec is not enforced, FIPS mode not available 
    2020-05-14 19:56:33.771303 CST: FIPS Self-tests Skipped 
    commit complete
    
  7. Verify the output value for configured block-size.
    content_copy zoom_out_map
    user@host#run show security nat source pool all 
    
    content_copy zoom_out_map
    Total pools: 1
    Pool name          : root_src_v4_pat
    Pool id            : 4
    Routing instance   : default
    Port               : [61044, 63500]
    Port overloading   : 1
    Address assignment : no-paired
    Total addresses    : 1048576
    Translation hits   : 0
    Port block size      : 8
    Max blocks per host  : 8
    Active block timeout : 0
    Last block recycle timeout : 0
    Interim logging interval   : 0
    PBA block log         : Enable
    Used/total port blocks: 0/321912832
    Address range                        Single Ports   Twin Ports 
              200.0.0.1 - 200.16.0.0         0              0    
    Total used ports   :                     0              0  
    

Configuring the NAT Session Hold Timeout and NAT Session Persistence Scan

This configuration shows how to configure the NAT session hold timeout and NAT session persistence.

Configuring NAT Session Hold Timeout

The following configuration shows how to configure the NAT session hold timeout.

  • To set the NAT session hold timeout period:

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set session-drop-hold-down time;
    

    The value of the time variable ranges from 30 through 28,800 seconds (eight hours). The session expires after the configured timeout period.

Results

From configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security
    nat {
        source {
            session-drop-hold-down 28800;
        }
    }

Configuring NAT Session Persistence Scan

The following configuration shows how to configure the NAT session persistence scan.

  • To enable the NAT session persistence scan:

    content_copy zoom_out_map
    [edit security nat source]
    user@host# set session-persistence-scan
    

Results

From configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security
    nat {
        source {
            session-persistence-scan;
        }
    }

Understanding NAT Configuration Check on Egress Interfaces after Reroute

The Network Address Translation (NAT) configuration often changes to accommodate more users and to enhance shortest route to transfer the traffic. If there is a change in egress interface because of rerouting of traffic, you can use the set security flow enable-reroute-uniform-link-check nat command to retain the existing NAT configuration and rule.

When the enable-reroute-uniform-link-check nat command is enabled:

  • The session is retained with the existing NAT rule, if the new egress interface and the previous egress interface are in the same security zone, and there is no change in the matched NAT rule or if no rule is applied before and after rerouting.

  • The session expires if the new egress interface and the previous egress interface are in the same security zone and the matched NAT rule is changed.

When the enable-reroute-uniform-link-check nat command is disabled:

  • The traffic is forwarded to the new egress interface if the new egress interface and the previous egress interface are in the same security zone.

Configuration

To enable the NAT configuration for an existing session when there is a change in egress interface because of rerouting, use the following command:

[edit] user@host# set security flow enable-reroute-uniform-link-check natThe new configuration is applied when you commit the configuration changes.

The enable-reroute-uniform-link-check nat command is disabled by default.

Limitations

Retaining the NAT configuration using the set security flow enable-reroute-uniform-link-check nat command has the following limitations:

  • The TCP synchronization does not allow the new session to transfer the traffic. You must disable the TCP synchronization to allow the transfer of traffic in new sessions.

  • The packet information might lost if reroute is initiated after a three-way handshake to initialize communication. You must disable the Junos OS Services Framework (JSF) like Application Layer Gateway (ALG) to allow the transfer of traffic in new sessions.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
17.4R1
Starting in Junos OS Release 17.4R1, source NAT resources handled by the central point architecture have been offloaded to the SPUs when the SPC number is more than four, resulting in more efficient resource allocation.
15.1X49-D30
Starting in Junos OS Release 15.1X49-D30 and Junos OS Release 17.3R1, the central point architecture for NAT has been enhanced to handle higher system session capacity and session ramp-up rate for the SRX5000 line.
12.3X48-D40
In Release 12.3X48-D40, and in Release 15.1X49-D60 and later releases, you can increase the source NAT port capacity to 2.4G on SRX5400, SRX5600, and SRX5800 devices with next-generation Services Processing Cards (SPCs) using the port-scaling-enlargement statement at the [edit security nat source] hierarchy level supported
external-footer-nav