05-24-2017 09:56 AM - edited 03-12-2019 02:24 AM
A friend of mine runs a small VPS hosting company and has a few servers in a remote DC. He had purchased an ASA 5512-X and intends to use it to monitor traffic transparently between his servers and the uplink to his DC Internet connection.
I helped him setup the ASA in his home lab and we have transparent mode working with a single subnet. However his DC has provisioned five unique IP subnets for external connectivity on a single VLAN. He has a single 1 Gbps connection.
Is there anyway to make this work with the ASA? My understanding is there needs to be a BVI interface on each L3 segment to make this work. I don't believe you can assign multiple IP addresses to a single BVI interface.
My suggestion to him was to talk to the provider and see if they can convert the link to a trunk and provision each external subnet on a different VLAN and then we could use subinterfaces on the ASA.
Connectivity flow is (Single 1 Gbps Internet feed from DC) > L2 VLAN on a Switch > ASA > L2 VLAN on Switch > Servers
There is a no NAT involved.
Thanks!
Andrew
05-24-2017 02:26 PM
Unless something has changed, there is only one IP address on the ASA in transparent mode, and it is only there to manage the ASA.
I would consider going multi context and creating a bridge group in each context.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/intro_fw.html#57210
05-29-2017 07:27 AM
Thanks Jonathan. Part of our issue is we don't have enough ports on the 5512-X to split everything out. We might just do a simplified version and bridge on a few of the subnets.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide