Hi,

I have a very specific requirement as so:

• When a object-group of Source IPs accesses Webserver_1, permit without NAT
• When a object-group of Source IPs accesses Webserver_2, permit without NAT
• When anyone else accesses Webserver_1, then permit without NAT
• When anyone else accesses Webserver_2, then destination NAT to Webserver_1

I thought i could do this with the below:

nat (OUTSIDE,DMZ) source static TRUSTED_NETWORKS TRUSTED_NETWORKS destination static Webserver_1 Webserver_1 no-proxy-arp
nat (OUTSIDE,DMZ) source static TRUSTED_NETWORKS TRUSTED_NETWORKS destination static Webserver_2 Webserver_2 no-proxy-arp
nat (OUTSIDE,DMZ) source static any any destination static Webserver_2 Webserver_1 no-proxy-arp

All requirements are met except requirement 3: "When anyone else accesses Webserver_1, then permit without NAT" as connections are dropped due to Asymmetric NAT Reverse path failure

ACLs will permit all the above traffic.

Sanitised Packet-tracer output below:

#Untrusted source IP: 1.1.1.2
#Webserver_1: 10.0.0.1
#Webserver_2: 10.0.0.2
# I have remove unimportant bits to shorten the output

packet-tracer in OUTSIDE tcp 1.1.1.2 65000 10.0.0.1 443

Phase: 1 Type: ROUTE-LOOKUP
Result: ALLOW
found next-hop 10.0.0.1 using egress ifc  DMZ

Phase: 2 Type: ACCESS-LIST
Result: ALLOW
Config:
access-group OUTSIDE_in in interface OUTSIDE
access-list OUTSIDE_in extended permit tcp any object Webserver_1 eq 443

Phase: 3 Type: NAT
Subtype: per-session
Result: ALLOW

Phase: 4 Type: IP-OPTIONS
Subtype:
Result: ALLOW

Phase: 5 Type: FOVER
Subtype: standby-update
Result: ALLOW

Phase: 6 Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (OUTSIDE,DMZ) source static any any destination static Webserver_2 Webserver_1 no-proxy-arp

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I have no other NATs configured.