Thanks for the reply.

You're kidding? So somehow having 10 objects for the same server is supposed to be cleaner that the old syntax? So Cisco's recommended syntax for multiple ports to the same host is as per below. Am I understanding right? If the below is correct then that is just plain ugly IMO. I was all for the new system till I hit this snag. It's not as if forwarding multiple ports to one host is some crazy odd ball setup. It's the most basic config possible.

object host1

host 10.10.10.1

object host1-port1

host 10.10.10.1

nat (inside,outside) static interface service tcp 80 80

object host1-port2

host 10.10.10.1

nat (inside,outside) static interface service tcp 443 443

object-group service host1-services

service-object tcp destination eq www

service-object tcp destination eq https

access-list outside-incoming extended permit object-group host1-services any object host1

I agree with you, not the greatest new NAT transformation, but supposedly is more flexible in terms of the NATing capability.

Well, the old static NAT statements, you still have to configure 2 separate static NATs too for to different ports

static (inside,outside) tcp interface 80 10.10.10.1 80 netmask 255.255.255.255

static (inside,outside) tcp interface 443 10.10.10.1 443 netmask 255.255.255.255

But yes, agree, 2 static NAT lines, instead of 10 lines on the new NAT

I want to bring this back up as I'm not believing this is the correct way.

Let's say I want to PAT port 8000 TCP & UDP. I would have to do the following. There is no shorter way? Since I can't do two NAT statements for both TCP and UDP in the one object. Is this correct? I know it will work, I'm asking is this the best, most efficient way. Is this the Cisco recommended way?

object-group service es1000-services
    service-object tcp destination eq 8000

object network es1000
    host 192.200.202.252

object network es1000-port1-tcp
    host 192.200.202.252
    nat (inside,outside) static 232.232.232.232 service tcp 8000

object network es1000-port1-udp
     host 192.200.202.252
     nat (inside,outside) static 232.232.232.232 service udp 8000

Hello,

Yes, this is the correct way to configure this in ASA 8.3. As you noted, there is no way to combine these into a single NAT statement.

There is an enhancement request filed (CSCte96293) to allow us to configure multiple NAT statements under the same object, though this has not been implemented as of yet.

Hope that helps.

-Mike

Thanks for the reply. I was hoping I was wrong or missing a shortcut.

Guess I'll sit tight and hope Cisco fulfills that feature request ASAP.

How about this?

object network es1000

    host 192.200.202.252

object service tcp8000

  service tcp destination eq 8000

object service udp8000

  service udp destination eq 8000

nat (outside,inside) source static any any destination static interface es1000 service tcp8000 tcp8000

nat (outside,inside) source static any any destination static interface es1000 service udp8000 udp8000

which is still more elaborate than pre-8.3 syntax, because we have to define the objects, but still there are not multiple objects for the same host.

H