Hi Aref,

Thanks for the reply and feedback.  Maybe I can clarify further.  The source is a mobile device connected to a mobile router (Mobile Gateway Router) configured and connected with a cellular SIM from Verizon.  The mobile device behind the MGR is configured to talk to a server inside the network via the public IP address of ISP1, so the destination configuration of the mobile device is the public IP address of ISP1 (for this example 1.1.1.1).  The communication path as shown in the diagram is from mobile device to the MGR to the cellular carrier to the Egress port on the firewall E 0/0 with the IP address provided by ISP 1 when it hits the Egress port of the firewall it gets NAT’d to the inside IP address of the inside server TMAPP (192.168.x.x) on port 5050 as shown in the example above. 

The goal is to replace ISP1 with ISP2, but it will take some time to touch all the mobile devices and change the IP address destination to the new public IP address of ISP2 (for this example 2.2.2.2), therefore some mobile devices will be configured with destination of 1.1.1.1 and others will be configured with the new address 2.2.2.2 until all device configurations are changed, we will have to keep both ISPs.  All mobile devices will need to communicate to the same server with actual address of 192.168.x.x.  So, both outside ports E0/0 and E0/2 will have to NAT the traffic on the same port 5050 to the same server? 

Not sure if I complicated this more than it needs to be or it makes sense?  The best thing to do is a cold cutover and switch the ISP providers, but unfortunately it will take few weeks to re-configure all the mobile devices with the new IP address destinations and that is why I wanted to do this translation over time until all mobile devices are changed and then will drop ISP1.

Thanks,

Hi Aref,

Unfortunately, the mobile device I have does not support or work with FQDN, I have to use an IP address only.  I thought the ASA is smart enough to know where the traffic came from so the return traffic takes the same path.  Are there any other options? How about using dynamic or overloading NAT?  If there is no other option, maybe I will have to temporary use a second firewall but not a preference?  Thanks for the help.

have you consider a defautl floating route. this could be easy way going forward

interface Ethernet0/0
 nameif Outside1
 security-level 0
 ip address 1.1.1.1 255.255.255.192
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.x.x.x 255.255.255.0
!
interface Ethernet0/2
nameif Outside2
 security-level 0
 ip address 2.2.2.2 255.255.255.192
!
static (Inside,Outside1) udp interface 5050 TMAPP 5050 netmask 255.255.255.255  
!
static (Inside,Outside2) udp interface 5050 TMAPP 5050 netmask 255.255.255.255
!
route Outside1 0.0.0.0 0.0.0.0 next-hop
route Outside2 0.0.0.0 0.0.0.0 next-hop 10

now if Ouside1 cutover the Outside2 route will kick in.

ASA does have this function.

@skhader you could use this link here the confiuration using the back interface with ip-sla. hope this will help you

Yes the ASA has the SLA monitor and tracking functionality but not to return the traffic out of the interface it was received on.

@skhader I agree with @Aref Alsouqi initial response, the ASA would only route the return traffic via the default route, there can only be one active and the ASA (afaik) is not intelligent to know which interface the traffic came in on. Failover of default routes I don't think will help.

Perhaps during cutover phase, if you know the source IP addresses define static routes via the other interface (ISP2), leaving the default route via ISP1 for the existing communication. Once the migration is complete, you can then change the default route via ISP2.

Thank you Rob and everyone else helping.  I will try a couple of suggestions and ideas presented here and test.  Thank yo all again for your help.