Hello all, I am trying to achieve following configuration: Two inside host should connect to the same destination address but with different source addresses and via different paths. The simplified network diagram is below (“.X” – mean the last octet in host’s ip address on the network, for example host with “.1” connected to 192.168.1.0/24 network has 192.168.1.1 ip address): ASA has three interfaces: Gi0/0 – INSIDE to SW nameif INSIDE security-level 100 ip address 192.168.1.254 255.255.255.0 Gi0/1 – OUTSIDE1 to ISP-GW-1 nameif OUTSIDE1 security-level 0 ip address 172.16.1.1 255.255.255.252 Gi0/2 – OUTSIDE1 to ISP-GW-2 nameif OUTSIDE2 security-level 0 ip address 172.16.2.1 255.255.255.252 Both OUTSIDE interfaces has applied simple temporary access-list with “permit ip any any” ACE for the testing purposes. Objects configuration: object network HOST1 host 192.168.1.1 object network HOST2 host 192.168.1.2 object network DESTINATION-REAL host 10.10.10.10 object network DESTINATION-MAPPED-1 host 10.1.1.1 object network DESTINATION-MAPPED-2 host 10.2.2.2 NAT configuration: nat (INSIDE,OUTSIDE1) source static HOST1 interface destination static DESTINATION-MAPPED-1 DESTINATION-REAL nat (INSIDE,OUTSIDE2) source static HOST2 interface destination static DESTINATION-MAPPED-2 DESTINATION-REAL sh nat detail output: Manual NAT Policies (Section 1) 1 (INSIDE) to (OUTSIDE1) source static HOST1 interface destination static DESTINATION-MAPPED-1 DESTINATION-REAL translate_hits = 4545, untranslate_hits = 5646 Source - Origin: 192.168.1.1/32, Translated: 172.16.1.1/30 Destination - Origin: 10.1.1.1/32, Translated: 10.10.10.10/32 2 (INSIDE) to (OUTSIDE2) source static HOST2 interface destination static DESTINATION-MAPPED-2 DESTINATION-REAL translate_hits = 4275, untranslate_hits = 5132 Source - Origin: 192.168.1.2/32, Translated: 172.16.2.1/30 Destination - Origin: 10.2.2.2/32, Translated: 10.10.10.10/32 With this configuration I cannot access from both host to destination, ping 10.1.1.1 form HOST1 (mapped destination for HOST1) and ping 10.2.2.2 form HOST2 (mapped destination for HOST2) doesn’t work. BUT if add route on ASA to the REAL destination (10.10.10.10) via interface OUTIDE1 or OUTIDE2 – one of the NAT translation starts to work. For example: Route OUTSIDE1 10.10.10.10 255.255.255.255 172.16.1.2 – ping from Host1 to destination works. Route OUTSIDE2 10.10.10.10 255.255.255.255 172.16.2.2 – ping from Host2 to destination works. So as i assume – egress interface is selected by route lookup, ignore the NAT statement in the config, like (INSIDE,OUTIDE1). But on the ASA you can't add two routes to same destination simultaneously and because of that I cannot manage to work this configuration. Also the latest firmware version on the ASA 5510 – 9.1.x and i cannot use PBR (was introduced in 9.4 I believe). Any advice how i can select egress interface via NAT statement and without route-lookup?
... View more