"Invalid Object in Source of Address Translation Rule #" when installing / verifying policy
|Platform / Model
This is caused by trying to create a manual NAT rule which translates a whole network to a single IP while the NAT method is set to "Static".
The "Static" NAT method is for 1:1 translations only (host:host, network:network) whereas the "Hide" NAT method is for 1:many translations (host:network).
That rule contains a Group of "Group with exclusion".
Group of type "Group with exclusion" is not supported in NAT rulebase
In order to hide a whole network behind a single IP, you need to use "Hide" as the NAT method. To change it follow this procedure:
- Right-click the translated host.
- Select "NAT method..." from the drop-down menu.
- Choose "Hide".
Note: You can tell which hide method is being used by looking at the lower-right side of the translated object. For "Static", there is a red "S"; For "Hide", there is a red "H".
Delete the Group and rebuild it as "Simple Group" object.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.