From: Terjéki Gábor (terjeki.gabor@gmail.com)
Date: Thu Jul 24 2008 - 04:04:48 ART
Hi,
With ASA itself you won't be able to perform load sharing. Redundancy
can be done easily however.
For the latter, simply add another peer address to the crypto map (to
resolve if remote site looses primary ISP link), and a floating
static, to resolve local ISP loss.
If you happen to have a L3 device in front of the ASA (on the inside),
you might be able to do load sharing. Never tried it yet, but it may
work as follow:
Two static route on the L3 device, one towards the ASA, the other to a
loopback interface. On the loopback, do a static destination NAT, and
then this new (virtual) subnet shall be routed towards the ASA. On it
perform a static (inside, isp2) to another virtual subnet.
On the remote site do the same.
With this the ASA shall have two pair of SA, on two interface, one
between the real, the other between virtual subnets. The actual load
sharing will be performed by the L3 device behind the ASA.
Though this may need to be doublechecked to see if this will work as
expected, I think it should. Still as you may see, this is not really
an official version, just a hack to make it work.
At second thought it may be even easier with GRE tunnels terminated on
the two L3 device (different source interface for both), as it would
relieve from using such complex NAT.
hth,
Gabor
On Wed, Jul 23, 2008 at 6:16 PM, Ina&Laurean <ina.laurean@gmail.com> wrote:
> Hi GS,
> Has anyone build a solution with two VPN tunnels between two ASA appliance?
> What I am looking to do is to use two ISP lines at each location and build a
> VPN tunnel over each ISP line for redundancy and load sharing.
>
> Thanks,
> Laurean
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART