I've got an interesting situation, although I can't imagine it's unique. We have 2 ISP's coming into a location terminating on 2 ASA's.
One ASA is translating a /28 to a few internal web/ftp/miscellaneous hosts (basically our public IP presence for all of internal corporate stuff) and also acting as the default internet gateway and L2L vpn peer for a few other sites...
The OTHER ASA is /28 from a different ISP hosting our customer facing stuff - and specifically OUR MAIL server. The two firewall thing is preventing us from peak efficiency and preventing us from taking some other initiatives, in addition to being plain inefficient - so we're going to merge the configs, use the 2nd ISP as a backup default gateway - but this introduces a serious problem with our mail system.
If we do this without careful consideration, mail from us will leave our firewall from the OTHER ISP connection. When it goes through an ironport, iPrism, barracuda or other anti-spam device, it will perform a reverse lookup on the "from" IP and discover that the sending domain doesn't match - which automatically makes our messages spam and they will usually not reach the customer.... so now the question...
I know how to do this with a policy route on a router - but how do I FORCE traffic from a specific source to ALWAYS leave a specific firewall interface, REGARDLESS of destination? It is as simple as a source NAT of some kind? We have a static that maps the public IP to the NLB cluster IP for the mail cluster, and that's great for established tcp sessions. I'm confident that in a dual ISP config, sent mail - where the traffic originates from a mail server - will just go out the default gateway subject to that global nat policy.
**ALSO** the idea that we use the mail server as the default gw is a no go as the whole point is to keep our internet traffic off of the connection our mail is coming in on.
I guess I should also mention that this is an 8.4 setup - so it's the version with the crazy "new style" nat statements. I'm concerned that the simple object nat config that's in place right now on the 2nd firewall will not be enough to force the mail traffic *originating from the mail server* to a random destination (another mail server out there usually) over the appropriate connection.