Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
798
Views
0
Helpful
2
Replies

Firepower 2130 HA pair - Adding additional external IP's on external interface port channel

mn-sysadmin
Level 1
Level 1

‎07-08-2019 12:45 PM

For my external interface on a 2130 pair in HA I have a port channel defined

On that external port channel, I have a sub-interface defined that has the main external IP which is part of a /23 public subnet on vlan 254

 

I am trying to add additional public ip addresses on the external interface but it doesnt seem possible

 

Port channel 18

  Sub Port Channel 18.254 with public ip address X.X.X.1/23 on vlan 254

 

I want to add additional public ip addresses from the same vlan 254 which has the /23

Such as X.X.X.3, X.X.X.4, etc

 

My intent is to use the additional public ip addresses for a combination of target endpoints for anyconnect user vpn and for outgoing auto dynamic NAT/PAT so that certain internal subnets get NAT'd/PAT'd to specific external public IP's

 

However when I try to add additional sub-interfaces with public ip's inside the /23 i get multiple warnings saying I can't do it because there is another subinterface already on vlan 254 and there is overlap with the existing /23 in terms of the IP's.

 

Is there a way to do this? To have multiple IP's in the same vlan on the same external port channel?

 

Labels:
0 Helpful
2 Replies 2

mn-sysadmin
Level 1
Level 1

‎07-08-2019 01:43 PM

I think I figured this out. The disconnect is thinking the IP's must be defined on the interface before they can be used in NAT/PAT or VPN endpoints. I was able to pencil in additional public IP's in the /23 in the NAT/PAT rules and I expect to be able to do the same for an AnyConnect VPN endpoint

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mn-sysadmin

‎07-08-2019 10:28 PM

Correct. The NAT/PAT addresses do not need to be (and in fact cannot) be defined as interface addresses.

The exception is when you are using the actual (single) interface address.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card