Thanks Jouni.

In Answer 2, you have created an object-group of type network. Why not use a plain 'object network' instead?

In Answer 3, I should be putting the nat config under the Public IP object or the Private IP object? I.e.

Original pre-8.3:

global (outside) 1 100.100.100.2 netmask 255.255.255.255

nat (inside) 1 access-list ACL3

access-list ACL3 extended permit ip any host 10.10.10.2

New 8.4.x:

object network obj-100.100.100.2

host 100.100.100.2

object network obj-10.10.10.2

host 10.10.10.2

nat (inside,outside) source dynamic any obj-100.100.100.2 destination static XXX XXX

Also, when I am porting the pre-8.3 nat config from box A to 8.4.x on new box B, should the static-s be entered in the same sequence?

Many Thanks.

Hi,

Its mostly comes due to habit. And that habit came due to trying to configure NAT/PAT with as few configuration as possible.

As you can see I have given 2 examples. One is using the "object network" which you mention and other is using "object-group"

In a situation where you use "object network" you can only insert a single host/range/subnet under it for which you do a PAT configuration. What if you run into a situation where you would want to do the same PAT for other IP addresses too? You would have to possibly configure several of these.

Here is where my second option in 2.) comes into play. First we will have to notice that this is not Network Object NAT anymore. Also no NAT is configured under the "object-group" and CANT be configured under it. The "object-group" is used to define the source IP addresses we want to do the PAT to.

Since we have configured a "object-group" we know that it can contain as many hosts/networks under it as we want. So if we want to add another source IP address or even a network to this PAT rule, we simply configure the source address/network under the "object-group" and we dont have to touch any NAT configurations at all.

Lets see an example

The original PAT configuration was

object-group network DYNAMIC-PAT-SOURCE

network-object host 10.10.10.2

object network PAT

host 100.100.100.2

nat (inside,outside) after-auto source dynamic DYNAMIC-PAT-SOURCE PAT

Now you want to do the same PAT translation for couple of other addresses behind the "inside" interface. This addition could be configured like this

object-group network DYNAMIC-PAT-SOURCE

network-object host 10.10.10.100

network-object host 10.10.10.200

And thats it.

EDIT: One important thing to notice with the new NAT format. The above configurations will do what their counterparts do in the original posts but remember that in the new software (like in the old software) other NAT rules can override these rules and you always have to take into consideration the existing configuration to determine how to configure this new rule so it works like its supposed to.

- Jouni

Yes, use of object-group indeed makes sense. Thanks for clarifying.

While you were replying to my question, I added additional point to my post. If you could please check those & help me understand, it would be great.

Many Thanks.

Hi,

The 3.) NAT configuration is not a Network Object NAT. The NAT configuration is not added under either of the "object network". The only purpose of the "object network" is to hold the IP information under them. The "network object" will then be referenced in the actual NAT configuration line.

The reason we need to define the IP address under "network object" or "object-group network" is because of the new NAT configuration format. Very few NAT configuration let you enter the IP address directly (though naturally some do) to the NAT configuration line but instead you have to reference an "object network" or "object-group" network which contain the needed IP address information.

To go over the 3.) NAT configuration piece by piece

global (outside) 1 100.100.100.2 netmask 255.255.255.255

nat (inside) 1 access-list ACL3

access-list ACL3 extended permit ip any host 10.10.10.2

The original configuration basicly tells us that when host "any" host on the "inside" tries to connect to the host "10.10.10.2" on the "outside" then they should be PATed to the IP address "100.100.100.2"

Now for the new format configuration doing the same thing

• First "object network" holds the destination IP address for which the NAT should apply to
• Second "object network" holds the actual PAT IP address that we want to use
• The actual NAT configuration line tells us that we are doing a Dynamic PAT to the PAT IP "100.100.100.2" between "inside" and "outside" interfaces when the source host is "any" and while the destination host is "10.10.10.2"

object network DESTINATION

host 10.10.10.2

object network PAT

host 100.100.100.2

nat (inside,outside) source dynamic any PAT destination static DESTINATION DESTINATION

Regarding the last question its pretty hard to say. Generally I would say you could configure the Static NAT in the same order they are on the old software. Personally I rather first look through the whole NAT configuration and see how its supposed to work and then rewrite the rules in the new format.

Provided that your current NAT configuration aint enormous I can always take a look at it and see if I can help out.

Hope this helps Again, dont hesitate to ask more.

- Jouni

Superb. Your explanations to my questions are so clear and elaborate.!

Thanks a lot Jouni