Cisco Cisco ASA for Nexus 1000V Series Switch Guía De Instalación

When using NAT or PAT, mapped addresses and ports are no longer required in an access list for several 
features. You should now always use the real, untranslated addresses and ports for these features. Using 
the real address and port means that if the NAT configuration changes, you do not need to change the 
access lists. This section includes the following topics:

The following commands and features now use real IP addresses in the access lists. All of the access-list 
commands used for these features are automatically migrated unless otherwise noted. For access lists 
that use network object groups (the object-group network command), the IP addresses within the object 
group are migrated to the real IP addresses.

access-group command

Modular Policy Framework match access-list command

Botnet Traffic Filter dynamic-filter enable classify-list command

AAA aaa ... match commands

WCCP wccp redirect-list group-list command

The WCCP wccp redirect-list group-list command is not automatically migrated. The 
WCCP access list is downloaded after startup, so automatic migration cannot occur. You 
need to manually change the wccp redirect-list group-list command to use an access list 
with the real IP address.

For example, formerly if you wanted to allow an outside host to access an inside host that used NAT, you 
applied an inbound access list on the outside interface using the access-group command. In this 
scenario, you needed to specify the mapped address of the inside host in the access list because that 
address was the address that can be used on the outside network. Starting in 8.3, you need to specify the 
real address in the access list.

Real IP addresses are now used in the following features instead of mapped addresses:

Access Rules

AAA Rules

Service Policy Rules

Botnet Traffic Filter classification

WCCP redirection