Packet flow on ASA 8.3 changed ?
In Earlier version 8.2 we used to put permit statment on mapped interface however in OS starting 8.3 access-list entries should have real address .
Example
Lan Server/Real ( 192.168.1.2 )
Outside IP/Mapped ( 202.202.202.202 )
Configured NAT
ASA 0S 8.2 and earlier
access-list outside_in extended permit ip host 4.2.2.2 host 202.202.202.202
ASA OS 8.3 and later
access-list outside_in extended permit ip host 4.2.2.2 host 192.168.1.2
In earlier OS packet used to come on outside interface after which ACL was checked , if the ACL permits traffic packets flows further for NAT process
In newer OS packet is coming to outside interface after which NAT is taking place , once the NAT is done mapped ip is changed to real ip and ASA checks for ACL . Dont you think in newer OS CPU will be used much because every packet with 202.202.202.202 is doing NAT while I have blocked all ip and allowed only 4.2.2.2 to access it ?