Suppose you have three groups of servers on the following VLANs and subnets:
Name VLAN ID Subnet
-----------------------------------
Production 3 10.0.0.0/24
Test 103 10.0.0.0/24
Lab 111 10.0.0.0/24
Suppose also that Production is connected to the internet with a Cisco ASA as its gateway at 10.0.0.1.
The purpose of Test and Lab is to allow us to replicate as closely as possible the servers on the Production network so that we can safely test changes to them without impacting production.
If you naively replicate the servers on the Production network and connect them to Test then they retain their 10.0.0.0/24 IP addresses as shown in the above table. Now suppose I want to also provide a connection to the internet for the Test network through the same Cisco ASA. It seems like this would be a problem because the ASA would base its routing decisions on IP addresses of which there are now duplicates on different VLANs.
This leaves me with the following questions:
- Is there a way to provide internet access to multiple VLANs which incidentally have the same subnet behind a single ASA?
- If so, how is this acheived? How would the ASA know to which VLAN to send a given packet if both VLANs have the same subnet?
- Is there a better way to provide internet connectivity to a test network containing servers with the same IP addresses as production?
Best Answer
Depending on the ASA and license you have, you could use contexts which create virtual ASAs within the ASA. Each is independent of the other. This would also allow you to test ASA configs before putting them on production. Each vlan interface is assigned to a context. Packets coming in are classified (in your situation, via MAC of the vlan interface) and then sent to their respective context.
Another option would be to have 3 routers, one per vlan, performing NAT to a central subnet that the ASA is on.