We have completed the upgrade of IEOC! All posts, comments and user profiles have been migrated. For security reasons, we have reset all passwords. To set a new password please Click Here. Further updates soon to follow.

Object vs Object-Groups in NAT

On the ASA, why would you use object-groups instead of objects when configuring policy NAT. 

Example. If I create a nat rule that maps to the object, the NAT source type shows in ASDM as Dynamic PAT (Hide), but a NAT rule with the object group shows source as "Dynamic".  Why would they be different? They are both mapping to a single host address. I know I'm missing something really fundamental here

 

object network INSIDE_MAPPED_FIRST

host 136.1.38.80

exit

object-group network INSIDE_MAPPED_SECOND

network-object host 136.1.38.90

exit

 

Comments

  • Hi,

       First of all, if you run an ASA Code above 8.3, it means you run the new NAT, which means if you want policy-NAT, you have to configure twice-NAT. With twice-NAT, why would you use objects or objects-groups.......the answer is in the name of those two features:

       - object means a single object, so you can have in this container a subnet, a range, or a single host by the IP or by  FQDN, but you cannot have in there multiple subnets or a subnet and a range defined; a single object is allowed

        - object-groups means a group of objects, so you can have in this container multiple subnets defined, or multiple hosts defined, or a combination of host and subnets.

    So using object-groups gives you flexibility on the policy-NAT configuration.

    Regards,

    Cristian.

  • Hi Cristian,

    Totally understand the benefits of Object groups. I guess what I'm asking is, if you use an Object  (host) as a translated address in ASDM, even if you set it to Dynamic, ASDM will always set it to "Dynamic (Hide)". If you use an Object Group (network-object host) it will stay as "Dynamic"

     Is it because it sees the Object-Group as a PAT Pool?

Sign In or Register to comment.