object network [name]
Defines or modifies a network object for use in NAT, ACLs, or other policies on Cisco ASA.
Overview
The 'object network' command on Cisco ASA Firewall is used to define a network object that represents a single host, subnet, range of IP addresses, or an FQDN. These objects are fundamental building blocks for configuring Network Address Translation (NAT), access control lists (ACLs), and other security policies. By abstracting IP addresses into named objects, administrators can simplify configuration, improve readability, and enable easier changes. For example, if a server's IP changes, only the object definition needs updating, not every rule referencing it. The command enters object configuration mode, where you specify the address type using subcommands like 'host', 'subnet', 'range', or 'fqdn'. Objects can also include description and NAT-specific attributes like 'nat' for static or dynamic translations. In troubleshooting workflows, verifying object definitions is a first step when NAT or ACLs fail. The ASA supports both IPv4 and IPv6 addresses. Objects are stored in the running configuration and can be grouped into object-groups for more complex policies. Understanding object network is essential for CCNP Security candidates as it underpins NAT and firewall rule configuration.
object network [name]When to Use This Command
- Define a host object for static NAT of a single internal server.
- Create a subnet object for dynamic PAT of an entire internal network.
- Define a range object for port address translation of a block of IPs.
- Create an FQDN object for a dynamic external resource.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| name | WORD | A unique alphanumeric name for the network object. Must start with a letter, case-sensitive, and can include hyphens and underscores. The name is used to reference the object in other commands. |
Command Examples
Define a host object for static NAT
object network WEB_SERVER
host 10.1.1.10Creates object named WEB_SERVER with host IP 10.1.1.10. No output on creation.
Define a subnet object for dynamic PAT
object network INSIDE_NET
subnet 10.1.1.0 255.255.255.0Creates object INSIDE_NET representing subnet 10.1.1.0/24. No output.
Define a range object
object network RANGE_POOL
range 10.2.2.10 10.2.2.20Creates object RANGE_POOL covering IPs 10.2.2.10 through 10.2.2.20.
Define an FQDN object
object network EXT_SERVER
fqdn example.comCreates object EXT_SERVER that resolves to the IP of example.com.
Understanding the Output
The 'object network [name]' command enters object configuration mode and does not produce output. Subsequent commands like 'host', 'subnet', 'range', or 'fqdn' define the object's address. To view defined objects, use 'show running-config object network [name]' or 'show object network [name]'. The output shows the object name and its type (host, subnet, range, fqdn) with the associated address. For example, 'object network WEB_SERVER' followed by 'host 10.1.1.10' results in a configuration line 'object network WEB_SERVER' and 'host 10.1.1.10'. Healthy objects have correct IPs; problems include missing or incorrect addresses.
Configuration Scenarios
Static NAT for a Web Server
A company has a web server at 10.1.1.10 that must be accessible from the internet via public IP 203.0.113.10.
Topology
Internet --- ASA (outside: 203.0.113.1) --- Inside (10.1.1.0/24) --- Web Server (10.1.1.10)Steps
- 1.Define the real object for the web server.
- 2.Define the mapped object for the public IP.
- 3.Configure static NAT between the two objects.
- 4.Allow inbound traffic with an ACL.
! Define real object object network WEB_SERVER host 10.1.1.10 ! Define mapped object object network WEB_SERVER_PUBLIC host 203.0.113.10 ! Configure static NAT nat (inside,outside) source static WEB_SERVER WEB_SERVER_PUBLIC ! Allow inbound traffic access-list OUTSIDE_IN extended permit tcp any host 203.0.113.10 eq 80 access-group OUTSIDE_IN in interface outside
Verify: Use 'show nat' to verify translation; 'show xlate' to see active translations; test connectivity from outside.
Watch out: Ensure the mapped object IP is not used elsewhere; also, the ACL must permit traffic to the mapped IP.
Dynamic PAT for Internal Network
Internal users on 10.1.1.0/24 need internet access via PAT using the outside interface IP.
Topology
Internet --- ASA (outside: 203.0.113.1) --- Inside (10.1.1.0/24) --- UsersSteps
- 1.Define the internal network object.
- 2.Configure dynamic PAT using interface IP.
- 3.Allow outbound traffic with an ACL (if needed).
! Define internal network object network INSIDE_NET subnet 10.1.1.0 255.255.255.0 ! Configure dynamic PAT nat (inside,outside) source dynamic INSIDE_NET interface ! Allow outbound traffic (optional, if global policy not used) access-list INSIDE_OUT extended permit ip 10.1.1.0 0.0.0.255 any access-group INSIDE_OUT in interface inside
Verify: Use 'show nat' to see NAT rules; 'show xlate' to see translations; test internet access from inside host.
Watch out: If using interface PAT, ensure the interface has a routable IP; also, consider overload limits.
Troubleshooting with This Command
When troubleshooting NAT issues on Cisco ASA, start by verifying the network object definitions with 'show running-config object network [name]' or 'show object network [name]'. Ensure the object contains the correct IP address or subnet. Common issues include typos in IP addresses, using the wrong subnet mask, or forgetting to define the object before referencing it in a NAT rule. Use 'show nat' to display configured NAT rules and verify that the object names match. If NAT is not working, check 'show xlate' to see if translations are being created. For static NAT, ensure both real and mapped objects exist. For dynamic PAT, verify that the source object matches the traffic source. Also, check ACLs that might be blocking traffic before or after translation. The 'packet-tracer' command is invaluable for simulating traffic and identifying where packets are dropped. For example, 'packet-tracer input inside tcp 10.1.1.10 12345 8.8.8.8 80' can show if NAT is applied correctly. If the object is an FQDN, ensure DNS resolution is working with 'show dns' or 'ping' using the FQDN. Remember that objects are case-sensitive, so 'Web_Server' and 'web_server' are different. Finally, review the NAT order: ASA processes NAT in a specific sequence (manual NAT before auto NAT), and misconfiguration can lead to unexpected behavior.
CCNA Exam Tips
Remember that object names are case-sensitive and must be unique.
For NAT, you must define both the real and mapped objects before applying nat rules.
Use 'show object network' to verify object definitions quickly.
Common Mistakes
Forgetting to enter global config mode before defining objects.
Using 'subnet' with a wildcard mask instead of subnet mask (e.g., 0.0.0.255).
Defining an object with the same name as an existing one, causing overwrite.
Platform Notes
On Cisco ASA, the 'object network' command is used in global configuration mode and is specific to ASA and FTD platforms. In Cisco IOS, the equivalent is 'object network' as well, but IOS uses different subcommands for NAT (e.g., 'ip nat inside source static'). ASA uses 'nat' command with object names. On ASA version 8.3 and later, NAT is object-based; earlier versions used 'static' and 'global' commands. FTD (Firepower Threat Defense) uses a similar object model but configuration is done via FMC or CLI. For ASA, objects can be nested in object-groups for ACLs. Differences from IOS: ASA requires explicit object definitions for NAT, while IOS can use inline addresses. ASA also supports 'fqdn' objects, which IOS does not. Version differences: ASA 9.x supports IPv6 objects; earlier versions may not. Always check the ASA version for feature support.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions