In Earlier version 8.2 we used to put permit statment on mapped interface however in OS starting 8.3 access-list entries should have real address .
Lan Server/Real ( 192.168.1.2 )
Outside IP/Mapped ( 188.8.131.52 )
ASA 0S 8.2 and earlier
access-list outside_in extended permit ip host 184.108.40.206 host 220.127.116.11
ASA OS 8.3 and later
access-list outside_in extended permit ip host 18.104.22.168 host 192.168.1.2
In earlier OS packet used to come on outside interface after which ACL was checked , if the ACL permits traffic packets flows further for NAT process
In newer OS packet is coming to outside interface after which NAT is taking place , once the NAT is done mapped ip is changed to real ip and ASA checks for ACL . Dont you think in newer OS CPU will be used much because every packet with 22.214.171.124 is doing NAT while I have blocked all ip and allowed only 126.96.36.199 to access it ?
You are right, with the change to the new NAT-model, there was also the change in the ACL that you mention. One benefit of the new model is that you have less to reconfigure if you change your ISP (and you don't have PI-addresses).
The CPU didn't change that much on my ASAs after upgrading from 8.2 to 8.3 and higher.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...