Using Transparent Mode with Multiple Subnets on a Single VLAN

Andrew Smale · ‎05-24-2017

A friend of mine runs a small VPS hosting company and has a few servers in a remote DC. He had purchased an ASA 5512-X and intends to use it to monitor traffic transparently between his servers and the uplink to his DC Internet connection.

I helped him setup the ASA in his home lab and we have transparent mode working with a single subnet. However his DC has provisioned five unique IP subnets for external connectivity on a single VLAN. He has a single 1 Gbps connection.

Is there anyway to make this work with the ASA? My understanding is there needs to be a BVI interface on each L3 segment to make this work. I don't believe you can assign multiple IP addresses to a single BVI interface.

My suggestion to him was to talk to the provider and see if they can convert the link to a trunk and provision each external subnet on a different VLAN and then we could use subinterfaces on the ASA.

Connectivity flow is (Single 1 Gbps Internet feed from DC) > L2 VLAN on a Switch > ASA > L2 VLAN on Switch > Servers

There is a no NAT involved.

Thanks!

Andrew

jonathan.cuthbert · ‎05-24-2017

Unless something has changed, there is only one IP address on the ASA in transparent mode, and it is only there to manage the ASA.

I would consider going multi context and creating a bridge group in each context.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/intro_fw.html#57210

Andrew Smale · ‎05-29-2017

Thanks Jonathan. Part of our issue is we don't have enough ports on the 5512-X to split everything out. We might just do a simplified version and bridge on a few of the subnets.