Partial subnets moving behind firewall

robbie_woodley used Ask the Experts™
I have two hosts that reside in different /24 subnets but because the way the network was "built", both subnets sit on the same vlan with one of the subnets default gateway being a secondary address on the vlan.  Now I have to move these two hosts behind a firewall to segregate them from 99.9% of the rest of the network with only certain IPs/ports allowed to access them.  The two hosts that have to move MUST retain their current IPs.  All of this while also allowing both of the segregated hosts to have unrestricted access to each other.  I have an ASA5510 to use for the firewall.  I believe that I can put in static routes in my core pointing to the ASA for these IPs that will sit behind it but if I do that will devices "outside" the firewall be able to see them if they reside in the same subnet?  I'm thinking that if a box in the same subnet as one that's been moved behind tries to contact it, it will assume that since the dest is in the same subnet as itself that no router will be needed to find the destination and therefor the static route doesn't get used.  I'm guessing it would work fine for devices outside that are on a different subnet but the same subnet is my first concern.    Really just looking for some ideas how I can accomplish this.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Firstly, a couple of questions. Are there any other devices on these subnets. Can you setup the VLAN's properly?

I suspect, looking at your current setup as described, you may be best using the ASA in transparent mode. This will disable some of the more advanced features, but will minimise the amount of reconfiguration you will need. In an ideal world, I would remove the IP's from the device doing the routing, use the ASA to route between these subnets with what I assume is a switch routing the rest of the network with a gateway to these VLANs being a third interface on the ASA.

I assume these IP's are hard coded somewhere and that's why you can't change them.


There are boatloads of other stuff on these subnets so splitting them off onto seperate VLANs isn't really possible.
Currently core routing is happening in a stack of 3750's but that is soon moving to a 6500 so making the ASA the core device is out of the question.  
As for the IPs being hard coded, the short answer is yes.  The software on these boxes will likely still work if we change the IPs but the vendor has told us they will not support it should anything quit working unless we pay them another "setup" fee to have them come in migrate the server to new IP space.  Additionally, the devices that will still need to have access to these boxes are all hard coded pointing back to it by IP instead of DNS name.

Investigate using the ASA in transprent mode. I don't think you can use transparent mode in multi-context mode, so you may need to have seperate interfaces for each device, then move the servers into a seperate vlan with the ASA sat between the VLANs. This should work, but it's not something I have tried. Do you want to isolate the servers from each other as well as the current LAN? Do the servers have IP's in each subnet?
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Just checked the documentation. You can use mutli-context with transparent, but all contexts must use transparent mode.


Well, actually the servers need to have full access to each other.
If that's the case, just use single context. It will simplify the config.

Have you got the command line config guide? It will help in understanding the transparent mode. The just use the ASA to bridge between the existing VLAN and a new isolated VLAN.


I don't have the config guide in hand but I can get it easily.  
If I put it in transparent mode it basically becomes a switch with security capabilities correct?  
Also, does this mean that traffic from Server A and Server B (both of which are behind the ASA but in different /24 subnets) will actually have to go outside the ASA get routed at the core and come back in?  I ask because traffic between the two servers needs to remain on the inside and never go outside.
If the servers are in different subnets, then the traffic has to go outside to go between the 2 servers. If this is a key critical requirement, you will need to re-engineer the network. You cannot just put a FW in place and try to fudge it.
The only way I can think of achieving the desired outcome is as follows.


This will require changing the IP's of all the other network devices, but if you cannot afford to have the IP's on the servers changed due to the software supplier charging too much, I can't see any way round this. Something is going to have to give, so the cheapest option is porbably going to be the most work for you, ie. change the network topology as above. This would need the firewall to be in routed mode.
What about something similar to this with the ASA in transparent mode?

LAN-----------------------CoreRouter--------------------------ASA------L3switch w/ routing--------------------------------------|
(Host A in subnet 1)   (both subnets in same VLAN)                   (IP from subnet 1,2 in same VLAN similar to core) |
(Host B in subnet 2)                                                                                                                                                  |
                                                                                                                        Server A (subnet 1)---------------------|
                                                                                                                        Server B (subnet 2)---------------------|

If server A and B used IPs in the L3 switch behind the ASA as their gateway their traffic should not got outside the ASA to get to each other.  And since the ASA is in transparent mode Host A should be able to reach Server A via layer2 and be routed to Server B as well.  Does this sound feasible or has it been too long of a day for me?  :)

I could set this type of scenario up farely quickly in a lab environment and test without the ASA in place and see how it acts.
I'm not sure about your suggestion. This may work if you use the switch behind the asa as the DG's for the servers and then have a DG on this switch of the core switch in one of the VLANs. I would not recommend this as a solution and would suggest that you look at migrating all your other devices off these VLANs. If this cannot be done in the timescales available, try your proposed config and see if it will work, but for future management purposes and to reduce the problems you will come up against, try to migrate the other devices off the VLANs wo seperate VLANs.


Well I've put the idea I proposed through it's paces in a lab setup and seemed to work.  It just went into production this morning and so far we've only had one small hiccup but I **think** I figured it out fairly quickly and now just have to assess whether it's a feasible long term fix or not.  I will report back in a few days after things have had time to simmer a bit.


So far this unorthadox "solution" has been in place and working for about a month now.  I know it's not what I'd like to have in place but it accomplished the goal which was good.


The network layout suggested in my post is what I ended up putting into prodution.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial