RE: crypto isakmp enable on multiple sub-interfaces from Ryan West on 2011-04-05 (Ccielab archives 04/2011)

From: Ryan West <rwest_at_zyedge.com>
Date: Tue, 5 Apr 2011 15:33:08 +0000

Waseemullah,

On Tue, Apr 05, 2011 at 11:18:42, Sadiq Yakasai wrote:
> Subject: Re: crypto isakmp enable on multiple sub-interfaces
>
> Makes sense Ryan!
>
>
> On Tue, Apr 5, 2011 at 3:51 PM, waseemullah memon
> <waseemullah.memon_at_gmail.com> wrote:
>
>
> Hi Sadiq,
>
> I intend to use it like below!
>
> crypto isakmp enable g0/0.100
> crypto isakmp enable g0/0.101
>
> where both of the above sub-interfaces are part of outside network
> with security level 0 and 1.
>
>

As Sadiq was mentioning, you'll still be creating a nameif and assigning routes to it. ECMP to two different interfaces for a route is not supported, but you can still setup failover based track and more specific routes with failover to your backup interface. I've configured something similar for ISP failover.

This document should is from 8.4 and still has many of the same rules from 7.2:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_static.html#wp1128007

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Tue Apr 05 2011 - 15:33:08 ART

This archive was generated by hypermail 2.2.0 : Sun May 01 2011 - 09:00:29 ART