I have two hosts that reside in different /24 subnets but because the way the network was "built", both subnets sit on the same vlan with one of the subnets default gateway being a secondary address on the vlan. Now I have to move these two hosts behind a firewall to segregate them from 99.9% of the rest of the network with only certain IPs/ports allowed to access them. The two hosts that have to move MUST retain their current IPs. All of this while also allowing both of the segregated hosts to have unrestricted access to each other. I have an ASA5510 to use for the firewall. I believe that I can put in static routes in my core pointing to the ASA for these IPs that will sit behind it but if I do that will devices "outside" the firewall be able to see them if they reside in the same subnet? I'm thinking that if a box in the same subnet as one that's been moved behind tries to contact it, it will assume that since the dest is in the same subnet as itself that no router will be needed to find the destination and therefor the static route doesn't get used. I'm guessing it would work fine for devices outside that are on a different subnet but the same subnet is my first concern. Really just looking for some ideas how I can accomplish this.