Thanks for the response Christos. In the end, I hired a CCIE to take care of the transition, and from the looks of it, he left the eth0/0 interface with the inside name, left the ip address assigned to that same port (including assigning sec.level 100), and just created an eth0/0.1 sub-int, assigned it to vlan 1, no nameif, same sec. level, no ip address.

The other vlans were just continued on down the sub-ints (thus, eth0/0.2, etc.).

Strange, but it works. There were also some other mods (inter and intraface communications permitted), and NAT rules.

After adding some routes on the servers, it seems that everything works fine.

Thanks for your help! If someone wants to see a show run config, I'd be happy to paste a sanitized version up.

That is really a weird way he did it I have never seen it like this.  I actually have it setup currently on my firewall too and it is something like this:

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.1

vlan 150

nameif DMZ

security-level 25

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

!

interface GigabitEthernet0/2.2

vlan 13

nameif DMZ2

security-level 30

ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2

The physical port will still pass tagged and untagged packets, and that comes from Cisco's own manual, but it is non-standard. I'm sure he had his reasons.

As I say, we had to add routes on servers that were in the native VLAN so they could reply back to the hosts in the VLANs (DHCP and DNS). I'm wondering if the routes would have even been required if all the IP's had been on Sub-ints? Wouldn't Inter-VLAN routing via Statics have ensured this?

The CCIE was very good at what he does, and was able to make this work. As long as there is no security issue with this config, I guess we'll just roll with it.

Here are the full, santized, relevant commands:

++++++++++++++++++++++++++

!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/0.1
vlan 1
no nameif
security-level 100
no ip address
!
interface Ethernet0/0.20
vlan 20
nameif BUNNY1
security-level 85
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/0.25
vlan 25
nameif BUNNY2
security-level 90
ip address 192.168.25.1 255.255.255.0
!
interface Ethernet0/0.99
vlan 99
nameif BUNNY3
security-level 100
ip address 192.168.99.1 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
security-level 50
no ip address
!
interface Ethernet0/2
shutdown
no nameif
security-level 0
no ip address
!
interface Ethernet0/3
description Outside IP
nameif outside
security-level 0
ip address Outside 255.255.255.0

access-list BUNNY3-NONAT extended permit ip 192.168.99.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list BUNNY1-NONAT extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list BUNNY2-NONAT extended permit ip 192.168.25.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list BUNNY1-IN extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list BUNNY1-IN extended permit ip 192.168.20.0 255.255.255.0 any
access-list BUNNY2-IN extended permit ip 192.168.25.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list BUNNY2-IN extended permit ip 192.168.25.0 255.255.255.0 any

nat (inside) 1 192.168.1.0 255.255.255.0
nat (BUNNY3) 0 access-list BUNNY3-NONAT
nat (BUNNY3) 1 192.168.99.0 255.255.255.0
nat (BUNNY1) 0 access-list BUNNY1-NONAT
nat (BUNNY1) 1 192.168.20.0 255.255.255.0
nat (BUNNY2) 0 access-list BUNNY2-NONAT
nat (BUNNY2) 1 192.168.25.0 255.255.255.0
static (inside,BUNNY3) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,BUNNY1) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,BUNNY2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group BUNNY1-IN in interface BUNNY1
access-group BUNNY2-IN in interface BUNNY2