See the diagram below, it shows my scenario and the NAT behaviour I'm trying to accomplish on ASA 9.x. Hopefully it is possible!
I'm hoping you can clarify my understanding around ASA 9.x NAT behaviour and egress interface selection. As I understand it, any twice-NAT rule will override a route-lookup and send the translated packet on its way out the mapped interface. So if you have dual-ISPs and a pair of NAT rules like below, the second one will never get hit.
nat (dmz,isp1) after-auto source dynamic host1 interface nat (dmz,isp2) after-auto source dynamic host1 interface
Similar behaviour seems to occur for egress traffic based on a pair of unidirectional static NAT entries, like below. The egress traffic from host1 to www will always be redirected to the isp1 interface by the NAT engine. In fact, ASDM doesn't allow the following rules to both be active at the same time - I'm not sure why in this case.
nat (isp1,dmz) source static www www destination static interface isp1 host1 service SIP-5060 unidirectional nat (isp2,dmz) source static www www destination static interface isp2 host2 service SIP-5060 unidirectional
So I'm wondering what the proper method is to represent hosts as different public IPs depending on which ISP the traffic flows through? Can anyone provide a sample config that matches all the desired behaviours in the diagram above?
Thanks in advance.
By default the ASA will use the egress interface that is specified in the NAT rule to send traffic. So you are correct in that only the first NAT rule will be matched in your scenario.
However, if you add the route-lookup command at the end of the NAT statements and then have an ip sla that tracks the state of the links and with two default routes point out their respective ISP interface, the NAT rule will look at the routing table and decide where to forward the traffic based on the routing table and not the configured egress interface of the NAT rule.
Please remember to select a correct answer and rate helpful posts
Thanks for your response. I had previously understood the route-lookup option only applies to identity NAT rules, but I'll give that a go tonight for the outbound rules.
I'm not sure how to correctly solve my problem for inbound traffic flows though? ADSM throws an error in the example dNATs in my original post complaining that it can't bind the ports for the second NAT rule, though the CLI will take it without error.