I get a good laugh from reading this article regarding Cisco Pix/ASA devices and Cisco Securirty Manager.
"With its heritage as a NAT device, the ASA carries a fair amount of configuration baggage.
Cisco has not done a good job of bringing the NAT policy and firewall policy together.
Indeed, the complexity of this issue is such that the Cisco engineers who helped install our
system didn't get the NAT policy right the first time around. "
"In some cases, that's good; in others, it's not as good, because
some of the ugliness of the structure of the old PIX code is being carried forward. Take NAT
management, for example. It is disconnected from firewall policy and is so confusing that
even the gurus from Cisco who helped us with our installation got it wrong."