How to use SDM to set up NAT

Most of the NAT and PAT deployments currently in use were configured at the CLI, and you'll learn how to do that in your CCNA studies. In the following lab, we're going to use a relatively new method, the Security Device Manager (SDM), to configure a router for PAT. We'll then test the translation as well! Here's the network topology:

Our PC needs to connect to that web server, but there's a problem. The PC has a Class A RFC 1918 private address, which is not a routable address. We'll use SDM to configure PAT to allow that PC connectivity to the web server, plus I'll sneak in an extra point about pings and PAT. (Try saying that three times really fast!)

1. For PAT, we just click on "Configure" and then "Interfaces And Connections" to bring this screen up.

2. We'll select the second radio button and click "Create New Connection".

3. We're going to assign a static IP address of 172.20.21.1 /16 to the Fast Ethernet 0/1 interface. Note that this is the interface facing the Internet, as Fast Ethernet 0/0 has an RFC 1918 private address as well.

4. The next screen gives us a chance to configure Advanced Options, and it's here that we'll enable PAT on this interface by checking the "Port Address Translation" box.

5. When doing so, make sure to choose the correct interface. The first choice here is Fast Ethernet 0/0, but that's the inside interface.

I simply clicked on the drop-down box and chose Fast Ethernet 0/1.

6. Finally, SDM shows you a summary of what you've chosen. Note the PAT inside interface is Fast Ethernet 0/0 and the outside interface is Fast 0/1, just what we want.

7. By clicking "Finish" at the bottom of the screen, you'll see a Command Delivery Status window that verifies the configuration has been written to the router. Note that it takes 13 commands to configure what we've chosen!

8. SDM verifies that FastEthernet 0/1 has been configured with an IP address of 172.20.21.1 and that the interface is the outside NAT interface.

9. This all looks good, but we better test it! Let's revisit the network topology:

Let's send a ping from the router to the web server to verify connectivity, and then check the NAT translation table.
RouterA#ping 172.20.21.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.20.21.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

RouterA#show ip nat translation

< nothing shows up and we're taken back to the prompt >
RouterA#

When you run a show command and you get nothing in return, that means there's nothing to show you. In this case, there have been no NAT translations. Why? Because we sent the ping from the router, and by default the source IP address of the ping will be the exit interface's IP address. The source IP address

of the ping from the router is 172.20.21.1, and that address requires no translation. To truly test PAT, we need to do one of two things:

Send an extended ping from the router and specify a source IP address for the ping of 10.1.1.11 Go to the PC and send a ping from there

Since it's the PC that needs connectivity to the web server, let's send a ping from the PC to that server and then check the NAT translation table.
C:\>ping 172.20.21.254 Pinging 172.20.21.254 with 32 bytes of data: Reply from 172.20.21.254: bytes=32 time=4ms Reply from 172.20.21.254: bytes=32 time=1ms Reply from 172.20.21.254: bytes=32 time=1ms Reply from 172.20.21.254: bytes=32 time=1ms TTL=127 TTL=127 TTL=127 TTL=127

The ping from the PC is successful. Let's check the translation table:
RouterA#show ip nat translation Pro Inside global Inside local icmp 172.20.21.1:512 10.1.1.1:512 Outside local 172.20.21.254:512 Outside global 172.20.21.254:512

Not all NAT tables list the protocol, but this one does, and you can see that it's an ICMP translation since that's what ping packets are. You can see the port translation as well, and the inside global address of 172.20.21.1 is the PAT interface on the router! That's just what we expect to see.