Hello Timor,
You can just apply the same crypto map on the different interfaces, or
use different crypto maps. The matching is done based on groupname and
password (or certificate).
For IPSCec client access, you can set backup gateways in the pcf
profile. So that's one problem solved.
For SSLVPN, I would suggest to use DNS load-balancing in test and see
if that works.
If you create a name, e.g. sslvpn.company.com and point that to three
different IP addresses (A records), the browser should try all three
addresses for the connection, so if the preferred carrier fails, it
will try the other ip-addresses as well..
HTH
Pieter-Jan
On 13 aug 2009, at 15:07, Timur Snoke wrote:
Hello all-
I am trying to set up a RA solution for an ASA that has 3 ISP
feeding into it. To do this I have set up subinterfaces for all
three carriers on the eth0/0 and have set up tracking so the default
route changes based upon which carrier is up.
I have set up a cryptomap that works on one of the interfaces for
ipsec and ssl vpn connections and what I would like to do is set it
up so that the remote users can get in regardless of which of the 3
ISPs is up. In the client config is it possible to set up all three
outside subinterfaces to be viable candidates for the same
cryptomap. and have the client fail from one to another when the
links go down.
any considerations or other things to keep in mind would be most
appreciated.
Thanks in advance,
Timur Snoke
Get free photo software from Windows Live Click here.
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
