Binding crypto map to two interfaces

mawallace · ‎02-08-2010

I have the following setp in mind:-

site 1

Inside network 192.168.0.0

Outside interface (connected to main link) 1.1.1.1

Backup interface (connected to ISP) 2.2.2.2

Site 2

Inside network 192.168.1.0

Outside interface (connected to main link) 3.3.3.3

Backup interface (connectd to ISP) 4.4.4.4

What I would like is to:-

i. Normally created IPsec between the two sites using the links on the "outside interface" between 1.1.1.1 and 3.3.3.3

ii. Create a 2nd rule, so if the "main" link is down that it uses the link 2.2.2.2 and 3.3.3.3

Any ideas how this could be acheived using a single ASA 5510 at each site? I thought of creating a single map with muliple peers at site one, using static mapping to tell the ASA to direct traffic for 2.2.2.2 via the 2nd interface, but when I come to bind the crptomap I relaise that each rule can only be bound to one interface.

I have the same situation but in recverse at site two.

cmite · ‎02-18-2010

Hello... since it looks like you have two interfaces on the ASA and two ISPs perhaps you can use IP SLA per the link below.

http://www.inacom-sby.net/Shawn/post/2007/11/Cisco-IP-SLA-for-failover.aspx

Here's another link with a PIX that shows how to configure the interfaces (global) and NAT.

Hope it helps.

cmite · ‎02-19-2010

Sorry... I re-read this and realize your ASA is the vpn terminating device. I used the IP SLA with a vpn router behind the ASA.