I have a case open with the TAC already on this, but I thought I would throw this on the community forums (this is my first post) since there might be others experiencing a similar issue.
I've come to expect being able to translate the source of packets coming from the outside interface towards an inbound host. I've usually had to do that when migrating firewalls, for instance, when the internal host's default gateway was pointed somewhere else than the ASA from which the trafic was coming from. This would effectively hide the external/vpn/etc.. address, and replace it with, e.g. the ASA's inside interface IP. The following is sample code which would achieve this previously:
Remote IPSEC tunnel subnet: 192.168.90.0/23
Local server: 188.8.131.52
ip address 10.10.10.1 255.255.255.0
ip address 184.108.40.206 255.255.255.0
access-list outside_nat_outbound extended permit ip 192.168.90.0 255.255.254.0 host 220.127.116.11
access-list inside_nat0_outbound extended permit ip any 192.168.90.0 255.255.254.0
global (outside) 1 interface
global (inside) 2 interface
nat (outside) 2 access-list outside_nat_outbound outside
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp-data 18.104.22.168 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface ftp 22.214.171.124 ftp netmask 255.255.255.255
This would effectively change the source of trafic from 192.168.90.0/23 to 126.96.36.199 to the inside interface IP: 188.8.131.52. This config works wonderfully in 8.2, yet upgrading that config to 8.3 yields a broken configuration that doesn't end up changing the source address, and instead leaves it intact.
So far I've had no workaround from the TAC. Either the new NAT engine results in some loss of flexibility, or I can't wrap my head around the solution.
I've already heard "why are you doing this" and "you should instead fix the routing problem". Fact is: this works in 8.2, and so far it doesnt in 8.3. I'm looking for a straight answer whether or not 8.3 simply won't support this configuration any longer.