I am not sure if I completely understand what you were doing in the old software. Are you saying that you used NAT to control for which destination IP addresses the servers actually had a translation for an other destination IP addresses connections would not even be translated and therefore the servers connection to those would fail?
If you were previously controlling server access to external networks with NAT then I would not really suggest it. You can simply use the interface ACLs for this. Cisco also suggest not to rely on NAT configuration to limit/allow your hosts connectivity.
In the newer software you do have the option to configure DNS Lookups on the ASA itself and then use FQDN as parameters of ACLs. So instead of IP address you have a FQDN and the ASA determines the IP addresses according to that which it will insert to the ACL
A rough example configuration could be
dns domain-lookup outside
dns server-group DefaultDNS
object network GOOGLE
access-list INSIDE-IN permit tcp any object GOOGLE eq www
access-list INSIDE-IN permit tcp any object GOOGLE eq https
Ok, so you are basically doing Dynamic Policy PAT for specific connections no other connections have translations.
Naturally you can configure exactly the same NAT configuration on the new software too if you use the destination IP address rather than name. As you noticed, you are not able to use the FQDN in the NAT configurations.
Just for examples sake, if you wanted to simulate the above NAT configuration in the new format it would be this
The above "object" are named like that for examples sake. They could be something else also. The above configuration should do Dynamic Policy PAT and essentially only translate the source IP address when its connecting to the specific destination IP address with the specific service/port.
If you are not using interface ACLs at all and wanted to start using them then I think you would first need to go through the current configurations and confirm where the hosts behind this interface are allowed to connect to and where they should not be able to connect to and build the ACL based on this and later attach it to the interface.
I imagine that if you have multiple local interfaces on the firewall then the "security-level" value on your current firewall defines towards which interfaces networks the traffic is allowed from behind this source interface. I would also imagine that you are not doing any NAT between the local interfaces (other than Identity NAT perhaps) so that should not control the local traffic.
In addition to the above I imagine that you would have to go through the external translations to see what is allowed for the hosts since you are using these NAT configurations to control access.
To be honest it would just simply require work to go through the setup and how it works for you to be able to determine the contents of the ACL needed to achieve same results as with the current NAT or "security-level" settings.
Thank you Jouni. You have been kind enough to detail every aspect.
Your explanation resolves the NAT using IP. I mentioned it earlier because that was what I had on the older version.
But currently the requirement is to use the URL instead of the IP since the URL is mapped with multiple ip's and it's not possible to define exact ip's. So we have to define a xyz.com and enable the NAT in a way that only when the server tries to communicate to xyz.com over port 80/443 it should be translated and allowed to go out.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :