https://live.paloaltonetworks.com/t5/general-topics/address-objects-ip-vs-ip-netmask/m-p/27716#M20209 <HTML><HEAD></HEAD><BODY><P>Hi Ctech,</P><P></P><P>NAT needs precise[/32] mask to avoid proxy NAT issue, interface needs real netmask. So, this behavior is expected.</P><P></P><P>I dont see any other way apart from creating two different objects. Else you can specify IP/32 in NAT instead of using object.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Fri, 22 Aug 2014 17:10:37 GMT hshah 2014-08-22T17:10:37Z https://live.paloaltonetworks.com/t5/general-topics/address-objects-ip-vs-ip-netmask/m-p/27715#M20208 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I have an address I would like to represent as an "Address Object".&nbsp; The address is 164.67.80.78 and the netmask is 255.255.255.192.&nbsp; I created an "Address Object" with an "IP Netmask" of 164.67.80.78/26.</P><P></P><P>I used this "Address Object" to set the interface address.&nbsp; Worked great.&nbsp; When I went to setup a bi-directional NAT policy, I needed to specify a "Source Translated Address".&nbsp; This address must be 164.67.80.78/32 and cannot be 164.67.80.78/26.&nbsp; i.e. the "Address Object" I created would not work for the NAT policy.</P><P></P><P>So I created two address objects: one for 164.67.80.78/26 and another for 164.67.80.78/32.&nbsp; I am not happy about the duplication.&nbsp; Is there a better approach?</P><P></P><P>Thank you,</P><P></P><P>Chris</P></BODY></HTML> Fri, 22 Aug 2014 17:06:06 GMT https://live.paloaltonetworks.com/t5/general-topics/address-objects-ip-vs-ip-netmask/m-p/27715#M20208 cstech 2014-08-22T17:06:06Z https://live.paloaltonetworks.com/t5/general-topics/address-objects-ip-vs-ip-netmask/m-p/27716#M20209 <HTML><HEAD></HEAD><BODY><P>Hi Ctech,</P><P></P><P>NAT needs precise[/32] mask to avoid proxy NAT issue, interface needs real netmask. So, this behavior is expected.</P><P></P><P>I dont see any other way apart from creating two different objects. Else you can specify IP/32 in NAT instead of using object.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Fri, 22 Aug 2014 17:10:37 GMT https://live.paloaltonetworks.com/t5/general-topics/address-objects-ip-vs-ip-netmask/m-p/27716#M20209 hshah 2014-08-22T17:10:37Z https://live.paloaltonetworks.com/t5/general-topics/address-objects-ip-vs-ip-netmask/m-p/27717#M20210 <HTML><HEAD></HEAD><BODY><P>I do agree that this lead to duplicate address objects but bi-directional NAT policy is a static NAT i.e 1-to-1 mapping. Hence the need to specify /32 address.</P><P>This is expected. You would be better off referencing the ip-address itself to avoid duplicate address objects.</P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Fri, 22 Aug 2014 21:50:50 GMT https://live.paloaltonetworks.com/t5/general-topics/address-objects-ip-vs-ip-netmask/m-p/27717#M20210 tshiv 2014-08-22T21:50:50Z https://live.paloaltonetworks.com/t5/general-topics/address-objects-ip-vs-ip-netmask/m-p/27718#M20211 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>It is not the duplication of "Address Objects" per se that I am bothered by... it is the duplicate entries of the same IP address.&nbsp; For example, if this IP address were to change, I'd like one central place to make the change.&nbsp; I believe this was the whole idea behind the "Address Objects".</P><P></P><P>It sounds like I should just stick with creating two "Address Objects" for each public NAT IP address.&nbsp; One with the netmask and one without.&nbsp; This way, if the IP were ever to change, I'd have to make two changes (bad) but at least they are both in the same place on the interface (good).</P><P></P><P>Thank you all,</P><P></P><P>Chris</P></BODY></HTML> Fri, 22 Aug 2014 22:27:41 GMT https://live.paloaltonetworks.com/t5/general-topics/address-objects-ip-vs-ip-netmask/m-p/27718#M20211 cstech 2014-08-22T22:27:41Z https://live.paloaltonetworks.com/t5/general-topics/address-objects-ip-vs-ip-netmask/m-p/27719#M20212 <HTML><HEAD></HEAD><BODY><P>Hi Chris,</P><P></P><P>You can give similar names to address object like "A_Obj_1" &amp;&nbsp; "A_Obj_11", that way it would be easy to change IP for Address Objects.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Fri, 22 Aug 2014 23:26:46 GMT https://live.paloaltonetworks.com/t5/general-topics/address-objects-ip-vs-ip-netmask/m-p/27719#M20212 hshah 2014-08-22T23:26:46Z