Hi Chris,

Yeah, R81.20 Take 26 (cluster).

I think just ignore the line where I said I have other gateways...  I was simply saying here to compare to other cases with dual ISP where I can still access the NAT address on the second/standby line with no problem - but it's not working on this particular gateway.

This of this case evolution as:

• I have a single gateway with a single ISP line.  (ISP-A)
• Static NAT assigned to an internal host - from the ISP-A subnet.
• Then I add an additional ISP line - ISP-B.
• I make ISP-B the "primary" Internet circuit and change the Default Gateway on the firewall to use ISP-B.
• I configure ISP Redundancy in HA mode, with ISP-B at the top of the list.
• Once I do that, people on the Internet can no longer access the server via the NAT on ISP-A.  Tcpdump shows traffic coming in on the ISP-A interface, getting to the internal host, but then returning via ISP-B and the connection doesn't work.
• SYN in through one interface...  SYN-ACK back via a different interface.  Asymmetric routing.

So my question was how can I keep things working when it has a static NAT on the other ISP line?

Or in other words - how can I make inbound traffic arriving on the ISP-A interface also return out of the ISP-A interface so I don't get asymmetric routing?

Thanks @Lesley.  This seems interesting but I suspect it isn't what I need.  I think my issue relates to getting return/reply traffic back out of the interface it arrived at.  My interpretation of that SK is for packets initiated from the LAN outbound.  In my case packets are initiated from the Internet inbound, which arrive fine, but the reply traffic leaves from a different interface.

So SYN comes into ISP-A on eth0, but the SYN-ACK leaves via eth1 (the new ISP line, and new Default Gateway).  How do I get the SYN-ACK to return via eth0 instead, to avoid asymmetric routing?

I'm assuming that's my issue here because once the default gateway is set to ISP-B, none of the NAT's on ISP-A work any more.  If I add a static route to my Internet test machine via ISP-A then I can access everything normally again.  So it seems stateful reply traffic is following the routing table and breaking the connections.   While ISP-B is default, I simply need a way to still be able to access NAT's on ISP-A.

Maybe if I hide NAT behind the ISP-A interface IP on the way in that would work?  It's horribly messy, but worth a try.

Hmmm could it be it is because the setup is in HA mode? Instead of 50/50? 

Maybe check this out, many tips there to verify:

https://support.checkpoint.com/results/sk/sk61692

If you are running load-sharing:

https://support.checkpoint.com/results/sk/sk34812

Hide NAT should be configured. Every connection without Hide Address Translation will not be included in the ISP Redundancy routing and go through the default primary gateway. 

Good job @madu1