https://community.cisco.com/t5/network-security/asa-nat-statement-best-practice/m-p/3396617#M955245 <P>I will be setting up a VPN that requires static NAT for roughly 200&nbsp;hosts, and each host must always use the same translated address. This is on an ASA 5525X running 9.6(4)3</P> <P>&nbsp;</P> <P>My first thought is, for each host, create a network object with the local address and another network object with the translated address, and then create the appropriate NAT rule using those objects. But this seems very inefficient and will result in a lot of configuration clutter.</P> <P>&nbsp;</P> <P>Is there a cleaner, more efficient way to approach this?</P> Fri, 21 Feb 2020 15:51:43 GMT magates 2020-02-21T15:51:43Z https://community.cisco.com/t5/network-security/asa-nat-statement-best-practice/m-p/3396617#M955245 <P>I will be setting up a VPN that requires static NAT for roughly 200&nbsp;hosts, and each host must always use the same translated address. This is on an ASA 5525X running 9.6(4)3</P> <P>&nbsp;</P> <P>My first thought is, for each host, create a network object with the local address and another network object with the translated address, and then create the appropriate NAT rule using those objects. But this seems very inefficient and will result in a lot of configuration clutter.</P> <P>&nbsp;</P> <P>Is there a cleaner, more efficient way to approach this?</P> Fri, 21 Feb 2020 15:51:43 GMT https://community.cisco.com/t5/network-security/asa-nat-statement-best-practice/m-p/3396617#M955245 magates 2020-02-21T15:51:43Z https://community.cisco.com/t5/network-security/asa-nat-statement-best-practice/m-p/3397233#M955246 Had a quick look over the 9.6 NAT guide but I couldn't find any hint. <BR />Let's see what other suggest about this. Mon, 11 Jun 2018 08:14:19 GMT https://community.cisco.com/t5/network-security/asa-nat-statement-best-practice/m-p/3397233#M955246 Florin Barhala 2018-06-11T08:14:19Z https://community.cisco.com/t5/network-security/asa-nat-statement-best-practice/m-p/3397264#M955247 <P>Starting with version 8.3 you can't configure nat without configuring some object groups as well, so there is no cleaner version available, but I find that if the object have meaningful names the nat config remains readable.</P> <P>Not sure if that is the case, but if you are planning to nat a range of IPs to a range of IPs you could have only one NAT rule in place.</P> <P>&nbsp;</P> <P>HTH</P> <P>Bogdan</P> Mon, 11 Jun 2018 09:07:54 GMT https://community.cisco.com/t5/network-security/asa-nat-statement-best-practice/m-p/3397264#M955247 Bogdan Nita 2018-06-11T09:07:54Z