Hello Husy,

I have 6 hosts on a network 31.8 - 31.13 , I want these hosts to be behind the ASA5510 so is it possible to connect the external interface of the ASA5510 to the switch and then the 6 hosts to its internal interface? The other hosts still remain connected to the switch.

So the ASA just acts as a bridge I guess and if I address it's external interface as 31.6 and the internal interface as 31.7 and the required hosts connected through a hub to 31.7, will the firewall server the purpose this way ?

Regards,

Murtaza

Technically, what you want is possible. But for efficently using ASA, you should meet the following requirements

1)Inside and outside interfaces should be in different networks

2)If all hosts including the seperated 6 will be pluuged into 1 switch, then you should apply VLANs. Or use a different hub or switch for these 6 hosts

Regards

Ok, that means what I am thinking of doing is not possible on the same network within a single switch. What about Passive and Active firewall, can I achieve that if the firewall is mad Passive ?

Regards

Please explain in details what you want to do with ASA, what benefits of ASA do you need and why do you seperate these 6 hosts. And what is the model of your switch?

Ok, we have around 200 servers on the network 31.0 - 31.255 at the DC. One of our clients having 6 servers within needs his servers to be secured by ASA5510 with ACLs and Crypto tunnels. I have configured the firewall but I was looking for a way to deploy the firewall on those servers without actually changing the IP addresses of the servers.

Being technically aware that I should create a /29 subnet for the 6 servers and then deploy the firewall as the gateway, I was looking for a workaround as the guys at the data center will not put efforts in subnetting and I can not do it remotely.

Regards,

Does any one have any suggestion for my situation ?

Regards,

Murtaza

Murtaza

You really should make changes on infrastructure while adding a firewall doesnt matter if it is PIX, Microsoft ISA or etc. What you want achieve is a Demilitarized Zone (DMZ) for these 6 servers take place. But you can not assign IP adresses to two different interfaces in same network. Each interface should have different netwokrs.

Besides as you know, a host do not require a gateway to pass through if the destination host is in same network, so firewall would not function in this case.

A scruffy workaround is, adding another PIX or router, creating a network between, then creating one-to-one NATs like

x.x.31.8-- --172.16.1.8--R--x.x.31.8

x.x.31.9--A--172.16.1.9--O--x.x.31.9

x.x.31.10-S--172.16.1.10-U--x.x.31.10

x.x.31.11-A--172.16.1.11-T--x.x.31.11

x.x.31.12- --172.16.1.12-E--x.x.31.12

x.x.31.13- --172.16.1.13-R--x.x.31.13

^_______^ ^___________^ ^___________^

DMZ CO-NETWORK REAL NETWORK

The CO-Network will be unseen for both real network and DMZ. ASA's outside interface is directly connected to router's inside interface. And router's outside interface is connected to real network.

There is no other way than that.

Regards