Solved: ASA Upgrade 8.3 - Auto "Object-Group" question

rsmith · ‎06-28-2011

After the upgrade to 8.3, and the automatic reconfiguration of all the Static and NAT to the "Object-group" command structure, I have a TON of duplicate configuration objects.

My question is whether I can point all of the references to the PRIMARY (First) Object-group reference, or if I need to go through and re-name EVERY Object-group duplicate to something more meaningful. Example:

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network obj_any-02

.....

object network obj_any-68

subnet 0.0.0.0 0.0.0.0

object network obj_any-69

subnet 0.0.0.0 0.0.0.0

object network obj_any-22

nat (3ComVendor,DMZ2) dynamic obj-0.0.0.0

object network obj_any-23

nat (3ComVendor,SSJobs) dynamic obj-0.0.0.0

object network obj_any-24

So, Can I point all the "nat (xxx,yyy)..." configuration lines to the primary "object network obj_any" and remove the "...any-01, any-02, any-03, etc, or are these unique in some way and tied to the object command?

Or, do I need to rename, such as "network obj_any-23" to say "network obj-3ComSSJobs"

Maykol Rojas · ‎06-29-2011

Roberth,

I think I should have not made my post so short. NAT deserves a big post and if it is for NAT 8.3 it should be a most.

There are 3 kind of NATs

Manual NAT (where you can apply twice NAT, which is basically NAT the source and the destination)

Object NAT (Where you create the NAT inside the object)

After Auto (An special keyword that would allocate a manual NAT at the end of the NAT list)

When configuring Manual NAT you can use the same object for creating NATs, this is basically because this type of NAT is configured on global configuration mode.

When configuring Object NAT, you will need to create a different object per nat you configure, this is because you configure the NAT inside the object, if you put another NAT statement into the same object, it will override the previous one, for example:

You want to nat all your internal hosts when goint to the Outside to the IP 10.10.10.10 so you do the following

Object network Any-inside

network 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic 10.10.10.10

If you try to Nat in that same object when going to the DMZ to the IP 20.20.20.20

Object network Any-inside

network 0.0.0.0 0.0.0.0

nat (inside,dmz) dynamic 20.20.20.20

it will override the previous NAT, but if you do it manual, like this (on global configuration mode)

nat (inside,outside) source dynamic Any-inside 10.10.10.10

nat (inside,dmz) source dynamic Any-inside 20.20.20.20

You will have no problems.

Hope this is clear, here is a document that you can use for reference.

https://supportforums.cisco.com/docs/DOC-9129

If you have any doubts, let me know.

Mike

View solution in original post

Maykol Rojas · ‎06-28-2011

You can just Use one object and point the NATs over there.

Mike

marijaslov · ‎06-29-2011

For "Object NAT" you must use duplicate objects for same host/subnet if you want different NAT/PAT translations for it, because only one mat (xxx,yyy) line is allowed in object network command.

I prefer "Twice NAT" instead.

rsmith · ‎06-29-2011

"You can just Use one object and point the NATs over there"

"For "Object NAT" you must use duplicate objects for same host/subnet if you want different NAT/PAT translations for it,"

Just when I thought I had an answer, I am now more confused... These seem to be contradictory answers, and based on the responses, I believe I would trust more the Cisco (685 posts) over a customer? (5 posts) answer.

Also, I am fairly well versed in PIX/ASA firewall configurations (just had not used Object Group commands, et al. much), but I am not sure what you are referring to with "Twice NAT"...

Maykol Rojas · ‎06-29-2011

Roberth,

I think I should have not made my post so short. NAT deserves a big post and if it is for NAT 8.3 it should be a most.

There are 3 kind of NATs

Manual NAT (where you can apply twice NAT, which is basically NAT the source and the destination)

Object NAT (Where you create the NAT inside the object)

After Auto (An special keyword that would allocate a manual NAT at the end of the NAT list)

When configuring Manual NAT you can use the same object for creating NATs, this is basically because this type of NAT is configured on global configuration mode.

When configuring Object NAT, you will need to create a different object per nat you configure, this is because you configure the NAT inside the object, if you put another NAT statement into the same object, it will override the previous one, for example:

You want to nat all your internal hosts when goint to the Outside to the IP 10.10.10.10 so you do the following

Object network Any-inside

network 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic 10.10.10.10

If you try to Nat in that same object when going to the DMZ to the IP 20.20.20.20

Object network Any-inside

network 0.0.0.0 0.0.0.0

nat (inside,dmz) dynamic 20.20.20.20

it will override the previous NAT, but if you do it manual, like this (on global configuration mode)

nat (inside,outside) source dynamic Any-inside 10.10.10.10

nat (inside,dmz) source dynamic Any-inside 20.20.20.20

You will have no problems.

Hope this is clear, here is a document that you can use for reference.

https://supportforums.cisco.com/docs/DOC-9129

If you have any doubts, let me know.

Mike

rsmith · ‎06-29-2011

Thank you for the clarification... It helps make sense out of the mess I have in my ASA... As much as I understand the efficiencies and capabilities of the "Object" commands, I really still prefer the static entries, mainly because it is easier for me to read through them. (I don't even use the "Name" command...) I guess I am still just too "old school"...