https://community.cisco.com/t5/network-security/dual-isp-with-static-nat-for-each-isp/m-p/2434775#M268867 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>To my understanding Static NAT for one internal host towards 2 different ISPs should work just fine as long as the connections are only formed from the ISP links towards the internal network. In this case the ASA should be able to use the existing connection and translation formed through the ISP in question to forward the return traffic correctly.</P><P></P><P>However if there is anything that requires the internal host to initiate connection towards the external networks then it will naturally only use the ISP which holds the default route at that point.</P><P></P><P>With regards to your NAT configuration. They seem to be basic Static NAT configurations with Manual NAT.</P><P></P><P>You can configure this with Auto NAT / Network Object NAT also but you just need to configure 2 different NAT as you can hold multiple <STRONG>"nat"</STRONG> statements under one <STRONG>"object"</STRONG></P><P></P><P>So you could have</P><P></P><P><STRONG>object network HOST-ISP-1</STRONG></P><P><STRONG> host <INTERNAL ip=""></INTERNAL></STRONG></P><P><STRONG> nat (inside,isp1) static <PUBLIC ip="" isp1=""></PUBLIC></STRONG></P><P></P><P><STRONG>object network HOST-ISP-2</STRONG></P><P><STRONG> host <INTERNAL ip=""></INTERNAL></STRONG></P><P><STRONG> nat (inside,isp2) static <PUBLIC ip="" isp2=""></PUBLIC></STRONG></P><P></P><P>Maybe you could try the above configurations.</P><P></P><P>If the connections still dont work I would monitor the logs for any blocked connections or other problems.</P><P></P><P>- Jouni</P></BODY></HTML> Sun, 02 Mar 2014 16:50:20 GMT Jouni Forss 2014-03-02T16:50:20Z https://community.cisco.com/t5/network-security/dual-isp-with-static-nat-for-each-isp/m-p/2434774#M268866 <P>We recently went from single ISP on our ASA to dual ISPs with failover using object tracking.&nbsp; Dynamic NAT is working great with both ISP.&nbsp; Using this:</P><P></P><P>nat (inf_inside,inf_ISP1) after-auto source dynamic PAT_Networks interface</P><P>nat (inf_inside,inf_ISP2) after-auto source dynamic PAT_Networks interface</P><P></P><P>However static NAT is proving more challenging.</P><P></P><P>BEFORE:</P><P>object network host1<BR />&nbsp;&nbsp;&nbsp; nat (inf_inside,inf_ISP1) static publicIP1_ISP1</P><P></P><P>AFTER:<BR />nat (inf_inside,inf_ISP1) source static host1 publicIP1_ISP1<BR />nat (inf_inside,inf_ISP2) source static host1 publicIP2_ISP2</P><P></P><P>With object NAT it works great no matter which ISP I use.&nbsp; However, to my&nbsp; knowlege I can't use two different NATs using object NAT therefore I setup the two individual NAT statements shown in AFTER section. I also have identical ACLs on both ISP interfaces to allow needed traffic.</P><P></P><P>The host here happens to be a DVR.&nbsp; When using the individual NAT statements the web management page only partly loads or does not load at all.&nbsp; Video clients cannot connect at all.&nbsp; Basically you can see the DVR is kinda there and responding but not working as it should.</P><P></P><P>Is there something I am missing or should be doing differently?</P><P></P><P>Thanks,</P><P>Diego&nbsp; </P> Tue, 12 Mar 2019 03:52:03 GMT https://community.cisco.com/t5/network-security/dual-isp-with-static-nat-for-each-isp/m-p/2434774#M268866 tato386 2019-03-12T03:52:03Z https://community.cisco.com/t5/network-security/dual-isp-with-static-nat-for-each-isp/m-p/2434775#M268867 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>To my understanding Static NAT for one internal host towards 2 different ISPs should work just fine as long as the connections are only formed from the ISP links towards the internal network. In this case the ASA should be able to use the existing connection and translation formed through the ISP in question to forward the return traffic correctly.</P><P></P><P>However if there is anything that requires the internal host to initiate connection towards the external networks then it will naturally only use the ISP which holds the default route at that point.</P><P></P><P>With regards to your NAT configuration. They seem to be basic Static NAT configurations with Manual NAT.</P><P></P><P>You can configure this with Auto NAT / Network Object NAT also but you just need to configure 2 different NAT as you can hold multiple <STRONG>"nat"</STRONG> statements under one <STRONG>"object"</STRONG></P><P></P><P>So you could have</P><P></P><P><STRONG>object network HOST-ISP-1</STRONG></P><P><STRONG> host <INTERNAL ip=""></INTERNAL></STRONG></P><P><STRONG> nat (inside,isp1) static <PUBLIC ip="" isp1=""></PUBLIC></STRONG></P><P></P><P><STRONG>object network HOST-ISP-2</STRONG></P><P><STRONG> host <INTERNAL ip=""></INTERNAL></STRONG></P><P><STRONG> nat (inside,isp2) static <PUBLIC ip="" isp2=""></PUBLIC></STRONG></P><P></P><P>Maybe you could try the above configurations.</P><P></P><P>If the connections still dont work I would monitor the logs for any blocked connections or other problems.</P><P></P><P>- Jouni</P></BODY></HTML> Sun, 02 Mar 2014 16:50:20 GMT https://community.cisco.com/t5/network-security/dual-isp-with-static-nat-for-each-isp/m-p/2434775#M268867 Jouni Forss 2014-03-02T16:50:20Z https://community.cisco.com/t5/network-security/dual-isp-with-static-nat-for-each-isp/m-p/2434776#M268868 <HTML><HEAD></HEAD><BODY><P> I should have thought about using two objects!</P><P></P><P>Thanks Jouni.&nbsp; I will try later on this week and let you know.</P><P></P><P>Rgds,</P><P>Diego</P></BODY></HTML> Wed, 05 Mar 2014 01:25:49 GMT https://community.cisco.com/t5/network-security/dual-isp-with-static-nat-for-each-isp/m-p/2434776#M268868 tato386 2014-03-05T01:25:49Z