I am setting up a zone-based firewall and NAT for inbound public traffic to internal private IP addresses. I am using a 2911 router with all the security bells and whistles. Do I set the destination as the public address or the private? I found a flow diagram that shows when CBAC happens, but nothing about zone-based.
So you are asking what IP address to use for out to in zone to allow inbound connections from the internet to your web, e-mail or other server on the inside? You should use the public (translated) address of the server in the acl that you will apply in the out to in zone.
Watch the outside to inside table. You can substitue inspect CBAC with inspect ZBF.
Firewall creates session from pre-nat src to post-nat dst.
Let us say we are translating 10.10.10.1 to look like 22.214.171.124 on the internet and it is a webserver
In the out to in zone will have policy-map, class-map and acl
In this acl you would specify
per tcp any host 126.96.36.199 eq 80
Whe you look at the session in the table you will see
session from internet<-->10.10.10.1