Network Address Translation Published:2013-02-15 Copyright©2013,JuniperNetworks,Inc. JuniperNetworks,Inc. 1194NorthMathildaAvenue Sunnyvale,California94089 USA 408-745-2000 www.juniper.net ThisproductincludestheEnvoySNMPEngine,developedbyEpilogueTechnology,anIntegratedSystemsCompany.Copyright©1986-1997, EpilogueTechnologyCorporation.Allrightsreserved.Thisprogramanditsdocumentationweredevelopedatprivateexpense,andnopart ofthemisinthepublicdomain. ThisproductincludesmemoryallocationsoftwaredevelopedbyMarkMoraes,copyright©1988,1989,1993,UniversityofToronto. ThisproductincludesFreeBSDsoftwaredevelopedbytheUniversityofCalifornia,Berkeley,anditscontributors.Allofthedocumentation andsoftwareincludedinthe4.4BSDand4.4BSD-LiteReleasesiscopyrightedbytheRegentsoftheUniversityofCalifornia.Copyright© 1979,1980,1983,1986,1988,1989,1991,1992,1993,1994.TheRegentsoftheUniversityofCalifornia.Allrightsreserved. GateDsoftwarecopyright©1995,theRegentsoftheUniversity.Allrightsreserved.GateDaemonwasoriginatedanddevelopedthrough release3.0byCornellUniversityanditscollaborators.GatedisbasedonKirton’sEGP,UCBerkeley’sroutingdaemon(routed),andDCN’s HELLOroutingprotocol.DevelopmentofGatedhasbeensupportedinpartbytheNationalScienceFoundation.PortionsoftheGateD softwarecopyright©1988,RegentsoftheUniversityofCalifornia.Allrightsreserved.PortionsoftheGateDsoftwarecopyright©1991,D. L.S.Associates. ThisproductincludessoftwaredevelopedbyMakerCommunications,Inc.,copyright©1996,1997,MakerCommunications,Inc. JuniperNetworks,Junos,Steel-BeltedRadius,NetScreen,andScreenOSareregisteredtrademarksofJuniperNetworks,Inc.intheUnited Statesandothercountries.TheJuniperNetworksLogo,theJunoslogo,andJunosEaretrademarksofJuniperNetworks,Inc.Allother trademarks,servicemarks,registeredtrademarks,orregisteredservicemarksarethepropertyoftheirrespectiveowners. JuniperNetworksassumesnoresponsibilityforanyinaccuraciesinthisdocument.JuniperNetworksreservestherighttochange,modify, transfer,orotherwiserevisethispublicationwithoutnotice. ProductsmadeorsoldbyJuniperNetworksorcomponentsthereofmightbecoveredbyoneormoreofthefollowingpatentsthatare ownedbyorlicensedtoJuniperNetworks:U.S.PatentNos.5,473,599,5,905,725,5,909,440,6,192,051,6,333,650,6,359,479,6,406,312, 6,429,706,6,459,579,6,493,347,6,538,518,6,538,899,6,552,918,6,567,902,6,578,186,and6,590,785. NetworkAddressTranslation Copyright©2013,JuniperNetworks,Inc. Allrightsreserved. Theinformationinthisdocumentiscurrentasofthedateonthetitlepage. YEAR2000NOTICE JuniperNetworkshardwareandsoftwareproductsareYear2000compliant.JunosOShasnoknowntime-relatedlimitationsthroughthe year2038.However,theNTPapplicationisknowntohavesomedifficultyintheyear2036. ENDUSERLICENSEAGREEMENT TheJuniperNetworksproductthatisthesubjectofthistechnicaldocumentationconsistsof(orisintendedforusewith)JuniperNetworks software.UseofsuchsoftwareissubjecttothetermsandconditionsoftheEndUserLicenseAgreement(“EULA”)postedat http://www.juniper.net/support/eula.html.Bydownloading,installingorusingsuchsoftware,youagreetothetermsandconditions ofthatEULA. ii Copyright©2013,JuniperNetworks,Inc. Table of Contents About the Documentation ............................................xi DocumentationandReleaseNotes..................................xi Supported Platforms .............................................xi UsingtheExamplesinThisManual..................................xi Merging a Full Example .......................................xii MergingaSnippet............................................xii Documentation Conventions ......................................xiii DocumentationFeedback.........................................xv Requesting Technical Support .....................................xv Self-HelpOnlineToolsandResources...........................xv OpeningaCasewithJTAC.....................................xvi Part1 Overview Chapter1 Network Address Translation ........................................3 Network Address Translation Overview ..................................3 TypesofNAT....................................................3 NATConceptandFacilitiesOverview.............................3 IPv4-to-IPv4BasicNAT........................................4 NAT-PT.....................................................5 Static Destination NAT ........................................5 Twice NAT ..................................................5 IPv6 NAT ...................................................6 NAT-PT with DNS ALG ........................................6 DynamicNAT................................................6 Stateful NAT64 ..............................................7 Dual-StackLite...............................................7 Part2 Configuration Chapter2 Configuration Tasks ................................................11 ConfiguringAddressesandPortsforUseinNATRules......................11 ConfiguringPoolsofAddressesandPorts.............................11 PreserveRangeandPreserveParity.............................12 ConfiguringAddressPoolsforNetworkAddressPortTranslation..........13 Round-RobinAllocation.......................................13 Sequential..................................................14 Port Block Allocation .........................................14 AdditionalOptionsforNAPT...................................19 ComparisionofNAPTImplementationMethods...................19 SpecifyingDestinationandSourcePrefixes...........................19 Copyright©2013,JuniperNetworks,Inc. iii NetworkAddressTranslation Requirements for NAT Addresses ..................................20 Configuring NAT Rules ...............................................21 ConfiguringMatchDirectionforNATRules...........................22 ConfiguringMatchConditionsinNATRules...........................23 ConfiguringActionsinNATRules...................................24 ConfiguringNATRuleSets............................................27 ConfiguringStaticSourceTranslationinIPv4Networks.....................27 ConfiguringtheNATPoolandRule.................................27 ConfiguringtheServiceSetforNAT.................................29 Configuring Trace Options ........................................30 ConfiguringStaticSourceTranslationinIPv6Networks.....................31 ConfiguringtheNATPoolandRule..................................31 ConfiguringtheServiceSetforNAT.................................32 Configuring Trace Options ........................................33 ConfiguringDynamicSourceAddressandPortTranslationinIPv4Networks...34 ConfiguringDynamicSourceAddressandPortTranslationforIPv6 Networks ......................................................37 ConfiguringDynamicAddress-OnlySourceTranslationinIPv4Networks......38 ConfiguringStaticDestinationAddressTranslationinIPv4Networks..........41 ConfiguringPortForwardingforStaticDestinationAddressTranslation.......43 ConfiguringTranslationTypeforTranslationBetweenIPv6andIPv4 Networks......................................................46 ConfiguringtheDNSALGApplication...............................46 ConfiguringtheNATPoolandNATRule.............................47 ConfiguringtheServiceSetforNAT.................................50 ConfiguringTraceOptions.........................................51 Configuring NAT-PT .................................................51 ConfiguringDynamicSourceAddressandStaticDestinationAddressTranslation (IPv6toIPV4)..................................................54 Chapter3 NATRulesExamples...............................................57 Example:ConfiguringStaticSourceTranslationinanIPv4Network...........58 ConfiguringStaticSourceTranslationinIPv6Networks....................58 ConfiguringtheNATPoolandRule.................................59 ConfiguringtheServiceSetforNAT.................................60 ConfiguringTraceOptions.........................................61 Example:ConfiguringStaticSourceTranslationwithMultiplePrefixesand AddressRanges.................................................61 Example:ConfiguringDynamicSourceAddressandPortTranslation(NAPT) for an IPv4 Network .............................................62 Example:ConfiguringDynamicSourceTranslationforanIPv4Network.......63 Example:ConfiguringDynamicSourceAddressandPortTranslationforanIPv6 Network.......................................................63 Example:ConfiguringDynamicAddress-OnlySourceTranslation............64 Example:ConfiguringDynamicAddress-OnlySourceTranslationinanIPv4 Network.......................................................64 Example:ConfiguringStaticDestinationAddressTranslation................65 Example:ConfiguringNATinMixedIPv4andIPv6Networks................66 Example:ConfiguringtheTranslationTypeBetweenIPv6andIPv4Networks..69 iv Copyright©2013,JuniperNetworks,Inc. TableofContents Example:ConfiguringDynamicSourceAddressandStaticDestinationAddress Translation(IPv6toIPV4)........................................70 Example:ConfiguringSourceDynamicandDestinationStaticTranslation......71 Example: Configuring NAT-PT .........................................71 Example:ConfiguringPortForwardingwithTwiceNAT.....................85 Example:ConfiguringanOversubscribedPoolwithFallbacktoNAPT.........86 Example:ConfiguringanOversubscribedPoolwithNoFallback.............87 Example:AssigningAddressesfromaDynamicPoolforStaticUse...........87 Example:ConfiguringNATRulesWithoutDefiningaPool...................88 Example:PreventingTranslationofSpecificAddresses....................89 Example:ConfiguringNATforMulticastTraffic...........................89 Rendezvous Point Configuration ...................................89 Router1Configuration............................................92 Example:ConfiguringPortForwardingwithTwiceNAT.....................93 Chapter4 ConfigurationStatements..........................................97 address(ServicesNATPool)..........................................97 address-allocation ..................................................97 address-range .....................................................98 application-sets(ServicesNAT).......................................98 applications(ServicesNAT)..........................................99 cgn-pic ...........................................................99 destination-address................................................100 destination-address-range ..........................................100 destination-pool ...................................................101 destination-port range ..............................................101 destination-prefix ..................................................102 destination-prefix-list...............................................102 destined-port .....................................................103 dns-alg-pool ......................................................103 dns-alg-prefix .....................................................104 from(ServicesNAT)................................................104 hint .............................................................105 ipv6-multicast-interfaces ...........................................105 match-direction ...................................................106 nat-type .........................................................106 no-translation .....................................................107 overload-pool .....................................................107 overload-prefix ....................................................108 pgcp ............................................................108 pool .............................................................109 port..............................................................110 port-forwarding ....................................................111 port-forwarding-mappings ...........................................111 ports-per-session ..................................................112 remotely-controlled.................................................112 rule ..............................................................113 rule-set...........................................................114 services(NAT).....................................................114 Copyright©2013,JuniperNetworks,Inc. v NetworkAddressTranslation secured-port-block-allocation ........................................115 source-address(NAT)...............................................116 source-address-range ...............................................116 source-pool .......................................................117 source-prefix ......................................................117 source-prefix-list ...................................................118 syslog ............................................................118 translated-port ....................................................119 term.............................................................120 then .............................................................121 translated ........................................................122 translation-type ...................................................123 transport .........................................................124 use-dns-map-for-destination-translation...............................125 Part3 Administration Chapter5 NetworkAddressTranslationOperationalModeCommands..........129 showservicesnatpool..............................................130 show services nat mappings .........................................134 Part4 Index Index.........................................................139 vi Copyright©2013,JuniperNetworks,Inc. List of Figures Part1 Overview Chapter1 Network Address Translation ........................................3 Figure1:DynamicNATFlow............................................7 Figure2:StatefulNAT64Flow..........................................7 Figure 3: DS-Lite Flow ................................................8 Part2 Configuration Chapter3 NATRulesExamples...............................................57 Figure4:ConfiguringDNSALGswithNAT-PTNetworkTopology.............72 Figure5:ConfiguringNATforMulticastTraffic............................89 Copyright©2013,JuniperNetworks,Inc. vii NetworkAddressTranslation viii Copyright©2013,JuniperNetworks,Inc. List of Tables About the Documentation ..........................................xi Table1:NoticeIcons.................................................xiii Table2:TextandSyntaxConventions...................................xiii Part2 Configuration Chapter2 Configuration Tasks ................................................11 Table3:DeterministicPortBlockAllocationCommitConstraints.............18 Table4:ComparisonofNAPTImplementationMethods....................19 Part3 Administration Chapter5 NetworkAddressTranslationOperationalModeCommands..........129 Table5:showservicesnatpoolOutputFields...........................130 Table6:showservicesnatmappingsOutputFields.......................134 Copyright©2013,JuniperNetworks,Inc. ix NetworkAddressTranslation x Copyright©2013,JuniperNetworks,Inc.