Any Static Port Forward (SPF) can be created only in one pool. This pool, which is referenced through the NAT policy, has to be specified at the SPF creation time, either explicitly through the configuration request or implicitly via defaults.
Explicit requests are submitted either via SAM or via CLI:
tools perform nat port-forwarding-action lsn
- lsn create router <router-instance> [b4 <ipv6-address>] [aftr <ipv6-address>] ip <ip-address> protocol {tcp|udp} [port <port>] lifetime <lifetime> [outside-ip <ipv4-address>] [outside-port <port>] [nat-policy <nat-policy-name>]
In the absence of the NAT policy referenced in the SPF creation request, the default nat-policy command under the vprn/router>nat>inside context is used.
The consequence of this is that the operator must know the NAT policy in which the SPF is to be created. The SPF cannot be created via PCP outside of the pool referenced by the default NAT policy, because PCP does not provide means to communicate NAT policy name in the SPF creation request.
The static port forward creation and their use by the subscriber types must follow these rules:
default NAT policy
Any subscriber type can use an SPF created in the pool referenced by the default NAT policy.
deterministic LSN44 NAT policy
Only deterministic LSN44 subscribers matching the configured prefix can use the SPF created in the pool referenced by the deterministic LSN44 prefix NAT policy.
deterministic DS-Lite NAT policy
Only deterministic DS-Lite subscribers matching the configured prefix can use the SPF created in the pool referenced by the deterministic DS-Lite prefix NAT policy.
LSN44 filter based NAT policy
Only LSN44 subscribers matching the configured filter entry can use the SPF created in the pool referenced by the non-deterministic LSN44 NAT policy within the filter.
DS-Lite filter based NAT policy
Only DS-Lite subscribers matching the configured filter entry can use the SPF created in the pool referenced by the DS-Lite NAT policy within the filter.
NAT64 filter based NAT policy
Only NAT64 subscribers matching the configured filter entry can use the SPF created in the pool referenced by the NAT64 NAT policy within the filter.
When the last relevant policy for a specific subscriber type is removed from the virtual router, the associated port forwards are automatically deleted.