I have a scenario where a customer is looking at two ASAs in active/standby and using two ISPs, each with different subnets. ISP A is used as the default route out to internet and ISP B is used as a backup, however traffic is still able to come from outside to inside from ISP B
What I want to confirm is that, if traffic is initiated from the outside from ISP B to inside, will the connection table know that the return traffic should go back out through ISP B or will the return traffic use the default route out through IPS A?
The Configuration Guide lists some information related to the routing decision
Most of it mentions only the part where an inbound connection to an IP address that has a NAT configuration is forwarded according to the NAT configuration.
The last section would to my understanding mean that the NAT configuration determines that the return traffic is also forwarded correctly.
For outbound connections for the same host to my understanding the routing table would be referenced for forwarding decision as there is no NAT for the destination addresses (presumably) which would affect the situation.
Egress Interface Selection Process
The selection process follows these steps:
1. If a destination IP translating XLATE already exists, the egress interface for the packet is determined from the XLATE table, but not from the routing table.
2. If a destination IP translating XLATE does not exist, but a matching static translation exists, then the egress interface is determined from the static route and an XLATE is created, and the routing table is not used.
3. If a destination IP translating XLATE does not exist and no matching static translation exists, the packet is not destination IP translated. The ASA processes this packet by looking up the route to select the egress interface, then source IP translation is performed (if necessary).
For regular dynamic outbound NAT, initial outgoing packets are routed using the route table and then creating the XLATE. Incoming return packets are forwarded using existing XLATE only. For static NAT, destination translated incoming packets are always forwarded using existing XLATE or static translation rules.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...