Just to let you know what I did that I couldn't do with previous ASA versions in my situation. My Situation: Cable-provider (1 IP) -> ASA -> IOS Router -> (W)LAN. My problem with this is that the previous ASA firmwares did not allow you to NAT ip protocol-41 to the inside IOS router without natting ALL traffic to the IOS and loose all additional features of the ASA. So no IPv6! :( Now with 8.3(1) you have additonal NAT options that allow you to specify a source/destination combination per NAT entry. I now have my ASA doing the NATting to the IOS and have the IOS loop the IPv6 traffic natively back to the ASA which will then in turn firewall the traffic natively and offer it back to the LAN. In short: --------- Outside ASA connected to the Internet Inside ASA connected to the IOS router NAT to translate SixXS-Pop to internal address of IOS router. ASA Firewall rule to only allow ICMP and Protocol-41 from the SixXS-Pop. Tunnel interface on the router, using a different VRF to separate unfirewalled IPv6 traffic from the rest. Separate (or Dot1q) link back to the ASA in same VRF as Tunnel interface with addresses from assigned subnet. Outside6 interface on ASA connected to the previous link, native ipv6. Inside interface on ASA with native IPv6 addresses from assigned subnet. ASA Firewall rules to permit/deny native IPv6 traffic from internet to LAN. This of course loops the traffic around, but performance wise I still have been able to get 15+Mbps throughput, so who cares. It's still a test/home network so.... Anyhow, I know have my ASA doing native IPv6, my IOS doing the tunneling and still use 1 public IPv4 IP. Components used: ASA5505 Security Plus license, 8.3(1) release, Cisco 871W Adv IP Services, 12.4(24)T. Regards, Erik