Hi Julio

This is what I have now:

global (OUTSIDE) 1 172.16.0.1

global (OUTSIDE) 2 172.16.0.2

nat (inside) 0 access-list nonat

nat (inside) 2 10.255.255.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

I"m still getting all traffic from the 10.255.255.0 network translated to 172.16.0.1.   Do I need to swap the nat (inside) 1 and nat (inside) 2 statements?  

Hello,

Did you clear the xlate and local host tables??

I did a lab recreation and I got it working as expected, taking the global (outside) 2 ip add.

If you do a packet tracer like this what do you get (Please provide the output)

packet-tracer input inside tcp 10.255.255.15 1025 4.2.2.2 80

Regards,

Julio

Hi Julio,

I did clear xlate and clear local and even rebooted the firewall last night.   Looking at the packet-tracer output (excellent tool BTW, will keep that one) it looks like the address should be translated correctly however when I go to a "what is my IP" site (I've tried a couple)  they still return the nat (inside) 1 global address. 

# packet-tracer input inside tcp 10.255.255.15 1025 4.2.2.2 80

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         OUTSIDE

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 2 10.255.255.0 255.255.255.0
nat-control
  match ip inside 10.255.255.0 255.255.255.0 OUTSIDE any
    dynamic translation to pool 2 (172.16.0.2)
    translate_hits = 860, untranslate_hits = 2
Additional Information:
Dynamic translate 10.255.255.15/1025 to 172.16.0.2/1038 using netmask 255.255.255.255

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 2 10.255.255.0 255.255.255.0
nat-control
  match ip inside 10.255.255.0 255.255.255.0 OUTSIDE any
    dynamic translation to pool 2 (172.16.0.2)
    translate_hits = 860, untranslate_hits = 2
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 262028, packet dispatched to next module

Phase: 8
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.0.254 using egress ifc OUTSIDE
adjacency Active
next-hop mac address 000f.8f42.a7c0 hits 139739

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

I figured out the problem.  Your initial configuration was corrrect.  Our web filter (Barracuda, inline between LAN and ASA) was was making it appear that all outgoing traffic was coming from the filter.  What is strange is that when I looked at the logs in the ASDM log viewer, they show the translation occuring correctly even though outside sites reported the public IP as 172.16.0.1. 

Thanks again for your help.

Hello,

Great to hear that know everything is working.

Hope you have a great day,

Julio