9.12. Deterministic NAT#

This mode of operation is implemented in accordance with RFC 7422 and eliminates the need for logging subscriber connections.

As in the Port Block Allocation mode, in this mode, NAT allocates port blocks for the subscribers. The difference is that the port blocks allocation is done algorithmically during the configuration process (instead of being allocated randomly when necessary). Therefore, you need to think in advance about the correspondence between the subscriber addresses and the external port blocks.

NAT supports Sequential port block allocation mode:

  • reserved ports 1-1023 are not used,

  • the remaining ports (1024-65535) are divided into blocks according to the size specified in the pool configuration,

  • the first block is assigned to the first subscriber, the second block is assigned to the second one, etc.

The network address and the broadcast address are also considered subscribers, so their own blocks of addresses are allocated to them.


When using this mode, you do not have the information about the destination addresses of subscriber connections. If you need to store information about destination addresses, then this mode of operation will not suit you.

9.12.1. Block Allocation#

Let’s say you have 14 subscribers in the network Taking into account the network address and the broadcast address, you need 16 blocks.

In the pool, you have two external IP addresses - Minus the reserved ones, 64512 ports are available to each IP address.

Thus, you can allocate 8064 ports to each subscriber:

Inside Address

Outside Address & Port

9.12.2. Configuration#

To configure the NAT according to the example above, do the following:

  1. Create a deterministic pool with a block size of 8064:

    nat pool deterministic-pool
     type deterministic block-size 8064

    These commands are described in detail in the Pools section.

  2. Create a subscriber group and configure it to use this pool:

    nat subscriber-group deterministic-group
     pool deterministic-pool

    These commands are described in detail in the Subscriber Groups section .

  3. Create a NAT rule for a subnet

    nat rule subnet subscriber-group deterministic-group

    This command is described in detail in the Rules section.

9.12.3. Check#

To check the resulting correspondence table, use the following command:

show nat rule subnet A.B.C.D/M [vrf NAME]#
show nat64 rule subnet X:X::X:X/M [vrf NAME]#

For example, for the above configuration the result would be:

nfware# show nat rule subnet
Subscriber          Block