So I'm setting up an ASA active/standby pair running 7.2.2. The desired configuration is to have two internal networks ("DMZ1" and "DMZ2" in this discussion) and two ISP connections ("Outside1" and "Outside2" in this discussion).
I've already read the "Redundant or Backup ISP Links Configuration Example" (located here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml ) and it seems pretty straight forward. The section that troubles me is:
"This configuration provides a relatively inexpensive way to ensure that outbound Internet access remains available to users behind the security appliance. As described in this document, this setup may not be suitable for inbound access to resources behind the security appliance. Advanced networking skills are required to achieve seamless inbound connections. These skills are not covered in this document."
Is there a way to make inbound connectivity work with two inbound connections setup like the example from the link above? From an inbound perspective, the ASA will be terminating VPN connectivity and doing some static translations to hosts on the "DMZ1" and "DMZ2" networks. The "Outside1" interface will be active unless it fails. I've got the tracking configured so that the default route moves to the "Outside2" interface if the primary connection fails. Is there any documentation on how to change the static translations and VPN setup to operate properly if this failover occurs?
Please let me know if I need to clarify any of my questions. Thanks,
NAT decisions are made after the routing for outbound packets. So it will match the NAT statement for the outbound interface that is being used.