Dynamic NAT with "match-host"


 

 

 

 

 

Introduction to this web page

This web page is about an extension to dynamic NAT called "match-host" which I found a reference to quite by chance in a Cisco document. Despite extensive searching, I haven`t been able to find any other information about it. So I have no idea which version of IOS it is relevant to, or if it is part of a feature pack.

The key impact of "match-host" is that it instructs the NAT enabled router to preserve the host part of an ip address, whilst changing the network part to an address from the pool.

This could be a valuable facility if a situation exists where it is required to do enterprise wide NAT, but due to particular user requirements, host pc`s behind the NAT router are required to have specific ip addresses in order to interact with some external host or services.

The only other way to achieve this is through static NAT, which requires a seperate command line instruction for each host pc that requires a fixed ip address as well as NAT.

 

Dynamic NAT with "match-host"

This is implemented in the same way as normal dynamic NAT, we create an access list and a pool of ip addresses, but the pool is defined in terms of host matching. We then associate them in the normal way.




router>	                        enable
router#                         config t
!
!
router(config)#             ! Set up a standard access list which is used to define
router(config)#             ! the range of source addresses on the secure subnet which
router(config)#             ! require to be changed by NAT.
!
!
router(config)#             ! Remove the previous version of the access list
!
router(config)#                 no ip access-list nat-list
!
router(config)#             ! Set up the new version of the access list
!
router(config)#                 ip access-list standard nat-list
!
!
router(config-std-nacl)#        permit ip 192.168.1.0 0.0.0.255
!
router(config-std-nacl)#        exit
!
!
router(config)#             ! Define a pool of global ip addresses which will be used
router(config)#             ! as the inside global addresses. This is where we also
router(config)#             ! define the NAT pool as a host matching pool.
!
router(config)#                 ip nat pool nat-pool 12x.34.1.2 12x.34.1.254 //
                                                           255.255.255.0 type match-host
!
!
router(config)#             ! Now we issue the command for dynamic NAT, in which command
router(config)#             ! we specify the access list, and also the pool of addresses.
!
router(config)#                 ip nat inside source list nat-list pool nat-pool
!
!
router(config)#             ! Configure the two interfaces, and define whether
router(config)#             ! they are inside or outside for NAT
!
router(config)#	                interface ethernet 0
!
router(config-if)#              ip address 12x.34.0.35 255.255.255.0
router(config-if)#              ip nat outside
router(config-if)#              no shutdown
!
router(config-if)#              exit
!
!
router(config)#	                interface ethernet 1
!
router(config-if)#              ip address 192.168.1.1 255.255.255.0
router(config-if)#              ip nat inside
router(config-if)#              no shutdown
!
router(config-if)#              exit
!
!
router(config)#                 exit
router#                         disable
router>



The above configuration preserves the host component of the ip address, but changes the network component, including the subnet component. As the match-host facility is just dealing with numbers, we could presumably use a different mask, and then preserve the host address and the subnet identifier component as well.

This could be useful if we want to introduce enterprise-wide NAT at the enterprise gateway to the internet, but wish to preserve an existing subnet structure.

 


© 2005 Ron Turner


Return to the Cisco index page