Sorry there is a solution no.2 as well:

Use manual nat or twice nat.

In manual nat you can use the same objects in multiple nat statements without any issues, beacuse natting is not done in the object but in the config mode.

object network obj-MyServer

  host 192.168.1.100

object service tcp_8080

  service tcp destination eq 8080

object service tcp_8443

  service tcp destination eq 8443

nat (outside,inside) source static any any destination static interface obj-MyServer service tcp_8080 tcp_8080

nat (outside,inside) source static any any destination static interface obj-MyServer service tcp_8443 tcp_8443

Hope this helps you in understanding the new natting better

-Varun

Thanks for clarifying I was not crazy.

I was aware of the technique to get it working with twice nat, however, I like the "object nat" concept because it is much easier to read when viewing the config.

I still do not fully understand why Cisco cannot add the ability for multiple translations even with object nat and just have it function like multiple twice nat statements behind the scenes.

Since I am ranting...

I also do not understand why Cisco can allow twice NAT to specify a service object, but not a service object group.

It would also be cleaner if the same configuration could be specified with:

object-group service obj-Server-Services tcp

  port-object eq 8080

  port-object eq 8443

nat (inside,outside) source static any any dest static interface obj-MyServer service obj-Server-Services

                                                                                                                                     ^^^

                                                                                                                    maybe different keyword like service-group here

Same to apply to object nat

why no...

object obj-MyServer

     nat (inside,outside) static interface service obj-Server-Services

if they only want to allow one command there?

Anyway, wanted to fully complete rant in case you actually work for Cisco or have any friends in there that answer the questions and/or change how it works :-).

Hi,

Fair enough, the new nat system might seem difficult to understand, but the more you get down into it, it is actually quite good and helpful. And thats based on my personal experience on this forum as well as at work.

First Question:

Well there might be an issue with specifying a service object in the nat statement, then it might not do the one to one port translations, that means, if you specify a port object for ftp,http,smtp and want those ports to be translated to 2121,8443,2525 respectively on your internal server, then if we have service object applied, then it would pick any port in the translated group, which means if request for ftp comes on mapped ip, it might translate port 21 to 8443, whihc is not my requirement. Hence only service objects are used for one to one mapping.

Second Question:

Network-Object nat not supporting mulitple nat statement.

Well the nat statement is just a parameter of the network object, and you cannot have different parameter for the same network object.

All NAT rules that are configured as a parameter of a network object are considered to be network object NAT rules. Network object NAT is a quick and easy way to configure NAT for a  network object, which can be a single IP address, a range of addresses,  or a subnet.

After you configure the network object, you can then identify the mapped  address for that object, either as an inline address or as another  network object or network object group.

hesitate

When a packet enters the ASA, both the source and destination IP  addresses are checked against the network object NAT rules. The source  and destination address in the packet can be translated by separate  rules if separate matches are made. These rules are not tied to each  other; different combinations of rules can be used depending on the  traffic.

Because the rules are never paired, you cannot specify that  sourceA/destinationA should have a different translation than  sourceA/destinationB. Use twice NAT for that kind of functionality  (twice NAT lets you identify the source and destination address in a  single rule).

I hope this helps you somewhat.

And no offence taken and yes, I am a TAC engineer, but if you have any things or product feedback to share, please do not hesitate

Thanks,

Varun