Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static configuration in ASA


If we need to access single "inside" server ( from two different static IP address from two different ISP2.

For example  --> IP1_from_ISP1

also    --> IP2_From_ISP2

This is to achieve ISP level redundancy.

Is it possible to have two "static" entries for ths same IP, I am not sure and most likely it is not possible.

Each ISP link is terminated on seperate router.  But we have only one firewall ( Active+ failover- logically single device). How can we go about this situation?  From each ISP we have a pool of 16 static IP address.
Do we need additional devices in between routers and firewall for source NAT or destination NAT before it hits the firewall outside interface.

What I feel is that we require to source_NAT and also Dest_NAT the packets coming from ISP2 before those reach the "outside" of firewall.

So for example packet reaching "outside" of  firewall from ISP2 router will have Destination IP same as that of packets those arriving from ISP1. This will work fine for our single static entry in firewall.  But now packets from ISP2 are also source_Nated or PATED before reaching the "outside" interface of firewall.

So when packets are coming back from Firewall packets with particular Destination IP will be routed to ISP2 routers remaining all will be sent to ISP1 router.

Here is ISP2 IP packets ( first NAT Device SAY R2 )

Source -

Destination - ( internal server IP address from ISP2 persective  )

First change the Destination IP to from to  ( we have static entry for to  Iinternal server IP -- on ASA )

In next devce packet will be ( Second NAT device  SAY R3)

source --

destination -

here we change source IP  to and forward the packet to outside of firewall

Sp packet on firewall outside --

source --

target :

On firewall will return this packet it will ALWAYS have source as and target as Thus we can route this traffic to Device R3 which will send the pakcet back to R2 and then to ISP2 with corresponding NAT and PAT on each router.

For ISP1 it will there is no need for additional device inbetween router and firewall.

This seems to be very lenthy soluation

Any other soluation please share the experience.



New Member

Re: Static configuration in ASA

Hi Subodh,

Yes there is a much easier solution to this, via static polict NAT

supposing that the internal ip address of the host which should be accessible by 2 different ip address from outside is; create two access-lists on the firewall as follows:

access-list isp1 permit ip host any

access-list isp2 permit ip host any

now we can map this with two static NAT statements:

static (inside,outside)    access-list isp1

static (inside,outside)    access-list isp2

Along with this you will open the necessary ports on the outside access-list for both the external ip addresses. 

This would work. please follow this link if you didn't get my example:

please contact me for any further help.