RE: crypto isakmp enable on multiple sub-interfaces

I can't send email to the group any more.

Please advice

Marcin Zgola | Netrix, LLC | 847.283.7400 |(Direct) 847.283.7328| (fax) 847.283.7610 | http://www.netrixllc.com/
Internetwork Lead | CCIE# 18676 (Security)

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Ryan West
Sent: Tuesday, April 05, 2011 10:33 AM
To: waseemullah memon
Cc: ccielab_at_groupstudy.com
Subject: RE: crypto isakmp enable on multiple sub-interfaces

Waseemullah,

On Tue, Apr 05, 2011 at 11:18:42, Sadiq Yakasai wrote:
> Subject: Re: crypto isakmp enable on multiple sub-interfaces
>
> Makes sense Ryan!
>
>
> On Tue, Apr 5, 2011 at 3:51 PM, waseemullah memon
> <waseemullah.memon_at_gmail.com> wrote:
>
>
> Hi Sadiq,
>
> I intend to use it like below!
>
> crypto isakmp enable g0/0.100
> crypto isakmp enable g0/0.101
>
> where both of the above sub-interfaces are part of outside network
> with security level 0 and 1.
>
>

As Sadiq was mentioning, you'll still be creating a nameif and assigning routes to it. ECMP to two different interfaces for a route is not supported, but you can still setup failover based track and more specific routes with failover to your backup interface. I've configured something similar for ISP failover.

This document should is from 8.4 and still has many of the same rules from 7.2:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_static.html#wp1128007

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Tue Apr 05 2011 - 20:33:58 ART