Here's the logical topology:
(The diagram doesn't appear correctly in the forum: ASA has three interfaces (outside, nlb, primary); ISA has two interfaces (isa nlb, isa primary); isa nlb is connected to ASA nlb; isa primary is connected to ASA primary.)
We want to use the NLB NIC (using a VIP) for inbound request only and utilize the other "Primary" NIC for outbound traffic (ISA-initiated as well as return traffic) - this is the NLB setup recommended by Microsoft. Thus, the Primary NIC has higher priority (lower metric) than the NLB NIC on the host. The problem would be the NAT/PAT on the ASA. Would something like this be possible?
!--- For outbound
access-list policy_nat1 extended permit ip host 192.168.3.21 any
static (primary, outside) 188.8.131.52 access-list policy_nat1
!--- For inbound request
access-list outside_access_in extended permit tcp any host 184.108.40.206 eq 80
static (nlb, outside) 220.127.116.11 172.20.20.11 netmask 255.255.255.255
access-group outside_access_in interface outside
What I am curious about is how ASA would interpret the return traffic from the host. For inbound, xlate would've been setup between the ASA's outside address and the NLB, but the return traffic would have the Primary NIC's address as the source due to the lower metric. My initial thought was that this would not work, but I currently don't have management access to the ASA and can't test the scenario.
Thanks for the help.