Ok, ASA upgrade to 8.3 code from 8.2(2). This went pretty smoothly, but I had to learn the hard way on one thing in particular. First thing, the static NATs do change. And thankfully, it does this conversion itself (at lease from 8.2(2) to 8.3(2). It basically does this:
In 8.2(2) code:
static (inside,outside) tcp 1.1.1.1 www 192.168.1.5 www netmask 255.255.255.255
In 8.3(2) code:
object network obj-192.168.1.5
host 192.168.1.5
object network obj-192.168.1.5
nat (inside,outside) static 1.1.1.1 service tcp www www
Now, which looks easier? To me, the PRE-8.3 code looks easier. Anyway, now on to the thing I learned the hard way. The ACL for the static NATs, meaning the outside ACL coming in (in this case). In the PRE-8.3 code, you had to specify the public IP address you were trying to hit on the outside. So, if you were trying to hit the public IP of 1.1.1.1 (like in the example above), you would have the following ACL:
In 8.2(2) code:
access-list 107 extended permit tcp any host 1.1.1.1 eq www
However, if you are in the 8.3 code, you are going to have to change from the exteranl IP address (like shown above) to the internal address (like shown below):
In 8.3(2) code:
access-list 107 extended permit tcp any host 192.168.1.5 eq www
So, if you are going to do an upgrade to the 8.3 code, then keep these things in mind. You will certainly want to be prepared for downtime should something not go right. In the case of this upgrade, I did have some downtime because I didnt prepare for the ACL changes, which took me about an hour to go through on this larger config. Just a few notes from this experience.
