First of all, if you run an ASA Code above 8.3, it means you run the new NAT, which means if you want policy-NAT, you have to configure twice-NAT. With twice-NAT, why would you use objects or objects-groups.......the answer is in the name of those two features:
- object means a single object, so you can have in this container a subnet, a range, or a single host by the IP or by FQDN, but you cannot have in there multiple subnets or a subnet and a range defined; a single object is allowed
- object-groups means a group of objects, so you can have in this container multiple subnets defined, or multiple hosts defined, or a combination of host and subnets.
So using object-groups gives you flexibility on the policy-NAT configuration.
Cristian Matei, CCIE #23684 (SC/R&S)
Online Community: http://www.ieoc.com
CCIE Blog: http://blog.ine.com