For my external interface on a 2130 pair in HA I have a port channel defined
On that external port channel, I have a sub-interface defined that has the main external IP which is part of a /23 public subnet on vlan 254
I am trying to add additional public ip addresses on the external interface but it doesnt seem possible
Port channel 18
Sub Port Channel 18.254 with public ip address X.X.X.1/23 on vlan 254
I want to add additional public ip addresses from the same vlan 254 which has the /23
Such as X.X.X.3, X.X.X.4, etc
My intent is to use the additional public ip addresses for a combination of target endpoints for anyconnect user vpn and for outgoing auto dynamic NAT/PAT so that certain internal subnets get NAT'd/PAT'd to specific external public IP's
However when I try to add additional sub-interfaces with public ip's inside the /23 i get multiple warnings saying I can't do it because there is another subinterface already on vlan 254 and there is overlap with the existing /23 in terms of the IP's.
Is there a way to do this? To have multiple IP's in the same vlan on the same external port channel?
I think I figured this out. The disconnect is thinking the IP's must be defined on the interface before they can be used in NAT/PAT or VPN endpoints. I was able to pencil in additional public IP's in the /23 in the NAT/PAT rules and I expect to be able to do the same for an AnyConnect VPN endpoint
Correct. The NAT/PAT addresses do not need to be (and in fact cannot) be defined as interface addresses.
The exception is when you are using the actual (single) interface address.