Here is what I need to do. I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.
I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.
Is there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
Kind of like this?
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6 | |
VLAN 2 - hosts 1.1.1.7 | Firewall DMZ Interface - 1.1.1.1 |
VLAN 3 - hosts 1.1.1.8 and 1.1.1.9 |
|
This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.
So, 1) does this make sense? and 2) is it possible?
I'm working with an ASA 5510 running 8.2.4(4).
Thanks.
Jason