Hi Rene,
a question regarding those statements:
•When you create an ACL statement for inbound traffic (lower to higher security level) then the destination IP address has to be: ◦The translated address for any ASA version before 8.3.
◦The real address for ASA 8.3 and newer.
•The access-list is always checked before NAT translation.
If the ACL is checked first, does the dest IP not have to be the NAT´d IP then?
Cause the ASA looks at the packet and compares it to the ACL. In the packet we still have the NAT´d IP and therefore we would need to specify the NAT´d IP in the ACL, or not?
Cause otherwise the ACL wouldn’t match the packet!?
Thanks
Florian