The best solution is what Georgi has already mentioned, place a loadbalancer between the ASAs and ISPs. But if this is not an option you would need to perform manual failover of the NAT statements.  You would need two sets of NAT statements, one for the primary ISP which is active and a second NAT for the secondary ISP which is disabled.  When a failover occurs you will need to disable the Primary NAT statement and enable the secondary NAT statement.  I suppose this might be possible to script.

You will also need to consider DNS lookups (if you have URLs for accessing the servers behind the 1to1 NATs.  If you have a failover situation you would need to update the IP for these domains.

Thanks all. Is there any other way besides the above?

Is it either we just need to get a /24 ?

or we just do a PAT to the new ISP for outbound only and the 1to1 NAT’s can not be migrated? 

Thanks.

>>> Is it either we just need to get a /24 ?

Some ISP's still have sufficiently large blocks of reserved IPs, which they are willing to lease.  If you are able to provide sufficient justification for /24 block of public IPs to be allocated to you, you will have one of the requirement needed to implement the design.  

To be able to advertise /24 block of IPs to two IPS, you will need the following:

1. /24 or larger block of IPs

2. Register an public ASN with ARIN

3. Letter of authorization from the owner of the IP block allowing you to advertise the /24 via you ASN

4. Letter of authorization from the owner of the IP block allowing your uplink ISPs to propagate the BGP prefix  (this can be combined with #3)

5. Request BGP peering with each one of your ISP providers (usually higher tier of service to support BGP)

5.1 Decide if you will be accepting full routing table, partial routing table, or just default route from each ISP

6. Setup your internet edge router(s)/firewall(s) to BGP peer with your two ISP providers 

6.1. Setup BGP routing preferences for primary and backup ISP

--
Please remember to select a correct answer and rate helpful posts

>>> Is there any other way besides the above?

You either have to have /24 block of public IPs (as described above in my post) or use the cloud-based load-balancer.  If your company is smaller or has smaller IT department, the cloud-based load-balancer solution is much easier to support long-term as it requires much simpler on-premise infrastructure.  You will be able to change your ISP's more easily as web site users will be going to your load-balancer public IPs.  The down-side is that cloud-based load-balancer will have additional cost. 

--
Please remember to select a correct answer and rate helpful posts

>>> or we just do a PAT to the new ISP for outbound only and the 1to1 NAT’s can not be migrated?

I am not sure how this option provides a solution for high availability to your Web Servers.  You will be using two ISPs and two circuits, but each ISP circuit will be used for two different use cases (i.e. outbound for office users and inbound for Web Servers) and both ISP circuits will not be providing automatic failover to each other.  

--
Please remember to select a correct answer and rate helpful posts

Hi @georgi.hristov 

If it's possible place a router in front of your deployment and do NAT there along with SLA and some scripting for failover,  so on FTD you'll only have to deal with access policy not NAT.

Hey @Panos Bouras, 

You bring a really good point.  In networking there is always yet another way to do things. Thank you for jogging my brain. 

Moving the ISP#1 and ISP#2 internet circuits to Cisco router does give us some additional flexibility and programmability with IPSLA, trackers, and EEM scripts.  The configuration can get pretty complex (depending one's Cisco routing experience), but it should be possible to NAT and Default Route changes needed for failover.   

The last piece would be to address the external DNS changes so that external users are accessing Web Servers via their new public IPs (NAT-ed on the router). Cisco routers support Dynamic DNS with various providers (http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/811-cisco-router-ddns.html)  

In this case the FTD firewall(s) would simply be responsible for inspecting and filtering the traffic. 

This is not the easiest option, by far as it requires multiple configuration pieces to all work together.  Troubleshooting will also require more in depth knowledge and experience.  If the OP gets this configuration working, it would be nice he can post it back here for others. 

--
Please remember to select a correct answer and rate helpful posts

Hi @georgi.hristov 

I'm no DNS expert, the external DNS could point to 2 IP (you can play with priority and weight of each record) one for each ISP, but I'm not sure how the client connection will work as this is an application behavior design e.g. how it would use the 2 records returned by the DNS.

From your side just make sure that your HTTPS certificate will match that DNS response in case that you'll use different FQDN, a wildcard or multi SAN certificate should work.

Additionally, if you have BGP peering with your ISPs then just change ask them to send default route and change the weight for your preferred one and let BGP handle HA for you. I assume that this is enough and more secure than trying to SLA track an IP via ICMP. Your NAT could be based on route map and I believe that his way there's no need to have EEM as you can match on source IP and destination Interface per NAT rule.

Just account that during failover you might get issues with clients already connected, as the reply could come from a different IP.

Thanks everyone for responding a great explanations! Appreciate it.