Showing results for 
Search instead for 
Did you mean: 

ASA-5500 with double NAT

Level 1
Level 1

ASA-5510, inside, outside, and some DMZ.

Some services published with Static NAT - no problem.

Now we need to add a second outside connection, with a second provider.

Internet navigation only through the first provider (default gateway to the provider router "A").

I need to publish some services ALSO through the second provider, ensuring the accessibility of both public IP addresses.

I can set up the second NAT on the second interface, but the answer is ONLY to the first IP (the ISP "A", where I have the default gateway).

By Cisco manual, it seems that there is a "lookup route" automatic with the return route of NAT, but it does not work.

Any idea?

6 Replies 6

Level 3
Level 3


You need a default route for the second ISP with a lower metric.


route primary x.x.x.x 1

route secondary x.x.x.x 200

I hope it helps,,


I had already thought of such a thing

And if it was so easy I did not need to ask the forum ...


I think you won't be able to make responce to the outside go throug the same interface as request came in. Responce will always go through the route with lowest metric. I.e. your internal resources, wich you public to the internet will be available to outside world though two IP's, each corresponting to certain ISP, but responces to that requests will always go through the one of those.

If you had your own AS, you would be able to advertise your IP to both providers and there'll be no problem, but it's not your case.

One thing you can do is dynamically translate all requests from outside to some inside IP (outside-to-inside policy nat). For each outside interface you can assign dynamic NAT rules, wich will be translating requests to specific inside IP, corresponding to each interface. In that case, by looking at xlate talbe ASA will be able to distinguish to wich interface it should send traffic


What is the ASA software you are using?

Was your purpose to direct certain services (http/https) through the original ISP


To host services on the other one?

- Jouni


The ASA is running

The purpose for the "double" NAT is to have TWO ways for access to certain public services



I'll see if I can do some labing related to this later this evening.

Reason for this is that we never handle 2x ISPs on the ASA directly. Both ISPs are connected to the same interface and routing/traffic control is done elsewhere in the core.

Again something to test out of curiosity.

I'll let you know how it goes.

- Jouni

Review Cisco Networking for a $25 gift card