cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


192
Views
0
Helpful
2
Replies
Highlighted
Beginner

Firepower 2130 HA pair - Adding additional external IP's on external interface port channel

For my external interface on a 2130 pair in HA I have a port channel defined

On that external port channel, I have a sub-interface defined that has the main external IP which is part of a /23 public subnet on vlan 254

 

I am trying to add additional public ip addresses on the external interface but it doesnt seem possible

 

Port channel 18

  Sub Port Channel 18.254 with public ip address X.X.X.1/23 on vlan 254

 

I want to add additional public ip addresses from the same vlan 254 which has the /23

Such as X.X.X.3, X.X.X.4, etc

 

My intent is to use the additional public ip addresses for a combination of target endpoints for anyconnect user vpn and for outgoing auto dynamic NAT/PAT so that certain internal subnets get NAT'd/PAT'd to specific external public IP's

 

However when I try to add additional sub-interfaces with public ip's inside the /23 i get multiple warnings saying I can't do it because there is another subinterface already on vlan 254 and there is overlap with the existing /23 in terms of the IP's.

 

Is there a way to do this? To have multiple IP's in the same vlan on the same external port channel?

 

2 REPLIES 2
Beginner

Re: Firepower 2130 HA pair - Adding additional external IP's on external interface port channel

I think I figured this out. The disconnect is thinking the IP's must be defined on the interface before they can be used in NAT/PAT or VPN endpoints. I was able to pencil in additional public IP's in the /23 in the NAT/PAT rules and I expect to be able to do the same for an AnyConnect VPN endpoint

Hall of Fame Master

Re: Firepower 2130 HA pair - Adding additional external IP's on external interface port channel

Correct. The NAT/PAT addresses do not need to be (and in fact cannot) be defined as interface addresses.

The exception is when you are using the actual (single) interface address.