Configuring NAT using the SDM is really much easier that anyone would think—except for you of course, because you’ve already! Anyway, all you have to do is click Configure NAT and you get a handy wizard that does a lot more that just hold your hand to create a NAT rule. It’s a lot like the one we used to create our firewall, and also just like , there’s more than one wizard. Again you get to pick between basic and advanced:
Basic NAT Use this wizard if you have some basic PCs/hosts on your trusted network that need access to the Internet. This wizard will guide you through the process of creating a basic NAT configuration.
Advanced NAT If you have a DMZ, or servers on your inside network that users from the outside need to access, you definitely want to opt for the Advanced NAT configuration.
The first screen is the Create NAT Configuration screen.
From here, I’m just going to simply connect up and create a basic NAT. After that, I click Launch the Selected Task, and get the next screen, which tells me what the Basic NAT Wizard is going to do.
As you might guess, it rocks—all I have to do is to click Next to get to a screen from which I’m able to select all my inside and outside addresses. Seem familiar? Good—that means you’ve been paying attention!
After choosing my inside and outside interfaces, I click Next. A NAT pool is created and all my interfaces are assigned inside or outside configurations, just like that!
Finally, I click Finish. Let’s see what doing that did to my router. Here are the interfaces it configured:
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Connection to 1242 AP
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
[output cut]
!
interface Serial0/2/0
description Connection to R3$FW_OUTSIDE$
ip address 64.1.1.5 255.255.255.252
ip access-group 103 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
clock rate 2000000
!
[output cut]
Here is the ip nat inside source list it created:
ip nat inside source list 2 interface Serial0/2/0 overload
!
[output cut]
And last, here is the access list created for each interface I chose as in inside network:
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 1.1.1.0 0.0.0.255
access-list 2 permit 10.1.4.0 0.0.0.255
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 permit 10.1.2.0 0.0.0.255
access-list 2 permit 10.1.3.0 0.0.0.255
I know I’ve said this over and over in the book, but I like to repeat this because I want to assure you that SDM really is an incredibly useful tool for creating advanced configurations like ACLs, VPNs, and NAT.
Basic NAT Use this wizard if you have some basic PCs/hosts on your trusted network that need access to the Internet. This wizard will guide you through the process of creating a basic NAT configuration.
Advanced NAT If you have a DMZ, or servers on your inside network that users from the outside need to access, you definitely want to opt for the Advanced NAT configuration.
The first screen is the Create NAT Configuration screen.
From here, I’m just going to simply connect up and create a basic NAT. After that, I click Launch the Selected Task, and get the next screen, which tells me what the Basic NAT Wizard is going to do.
As you might guess, it rocks—all I have to do is to click Next to get to a screen from which I’m able to select all my inside and outside addresses. Seem familiar? Good—that means you’ve been paying attention!
After choosing my inside and outside interfaces, I click Next. A NAT pool is created and all my interfaces are assigned inside or outside configurations, just like that!
Finally, I click Finish. Let’s see what doing that did to my router. Here are the interfaces it configured:
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Connection to 1242 AP
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
[output cut]
!
interface Serial0/2/0
description Connection to R3$FW_OUTSIDE$
ip address 64.1.1.5 255.255.255.252
ip access-group 103 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
clock rate 2000000
!
[output cut]
Here is the ip nat inside source list it created:
ip nat inside source list 2 interface Serial0/2/0 overload
!
[output cut]
And last, here is the access list created for each interface I chose as in inside network:
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 1.1.1.0 0.0.0.255
access-list 2 permit 10.1.4.0 0.0.0.255
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 permit 10.1.2.0 0.0.0.255
access-list 2 permit 10.1.3.0 0.0.0.255
I know I’ve said this over and over in the book, but I like to repeat this because I want to assure you that SDM really is an incredibly useful tool for creating advanced configurations like ACLs, VPNs, and NAT.