I have PIX behind a router with 2 WAN interfaces. Main interface is for traffic and it fail over if it goes down. I have PBR enabled for traffic from the PIX, it fails over great. In order to allow remote IPSEC sessions I have two static translations on the router to the outside PIX interface. Problem is due to their static nature when I fail over the the backup the outgoing VPN uses the 1st static and not the backup - a problem overcome with Policy NAT for all other traffic. What in essence I need is a "floating" static NAT - no idea if this is possible.

I include a brief config of policy nat in place

ip nat inside source static tcp 192.100.150.1 4500 interface fastethernet0 4500

ip nat inside source static tcp 192.100.150.1 500 interface fastethernet0 500

ip nat inside source static tcp 192.100.150.1 4500 interface Dialer0 4500

ip nat inside source static tcp 192.100.150.1 500 interface Dialer0 500

ip nat inside source route-map ispA interface FastEthernet0 overload

ip nat inside source route-map ispB interface Dialer0 overload

!

route-map ispB permit 10

match ip address 40

match interface Dialer0

!

route-map ispA permit 10

match ip address 40

match interface FastEthernet0

!

route-map IPSEC permit 30

match ip address 110

match interface Dialer0

set interface Dialer0

I know I can probably achieve this usig router-router VPN but the client is keen to keep the PIX and use the router to provide WAN redudancy. If I remove the static it works great if initating IPSEC from the PIX but inbound IPSEC connections will never complete.