[c-nsp] ASA 8.x software and ICMP errors...

[Jeff Kell]

Have been noticing this for some time but did not consider it worth
pursuing at the time, then recently had to try some traceroutes and
nmaps from off-campus for testing purposes and now it's relevant...

Our internal infrastructure is on private addresses.  We have dynamic
NAT enabled for the outgoing traffic for essentially everything. 
Working just fine, except...

If there is an ICMP error generated by an internal router (admin
prohibited, TTL exceeded, destination unreachable, etc) that we "want"
to pass through, it appears to be going out without NAT applied.  NAT
works for the routers themselves (e.g., telnet, ping, traceroute to
outside work as expected).

I'm seeing this because we have a sanity-check ACL on our border that
insures the source addresses are within our IP space, and they're
kicking out these ICMP error replies and indicating they are indeed
still sourced from the internal addresses.

I don't recall running into this issue before 8.x...

Ring any bells?

Jeff