I am trying to figure out the proper configuration for ISP failover on my ASA 5510, here is my senario:
Currently our primary ISP link is being provided by a consotium for schools so we have no public ip address on the outside interface of the ASA. The firewall is acting as a router, with no nat function on that link. We wanted to create a failover link to our cable provider which will give us a public ip on the second outside interface of the firewall, and I have it natted to the inside interface. When i set up SLA and the first routed link fails, it fails over to the natted link perfectly and i can see the nat translations. When SLA fails over again to the primary link the nat translations are not removed and internet access breaks until i remove the nat statements and clear xlate. If anybody has insight on this, or a possible workaround, your input will be greatly appreciated as my head hurts from banging it into a wall.
What version are you running on the ASA?
What about timeout floating-conn
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at firstname.lastname@example.org
Julio Carvajal Segura
you could also try to create an identity NAT instead of NONAT if you are running the older codes 8.2 and below... the difference is that one NATs the IP to itself and the latter bypasses the NAT process completely...