Our recommendation is to segment part of the network behind a routed firewall to protect backups and virtual hosts. The problem is that computers on our general network cannot find the secure network segment.
Our general network, including our virtual servers (not hosts) are on the network 192.168.0.0/24 with a gateway of 192.168.0.1 Consider a computer on the network C2 with an ip address of 192.168.0.77
Our secure segment is behind a routed firewall. That network segment is 192.168.10.0/24 with a gateway of 192.168.10.1 Consider our host server H1 at 192.168.10.55
Our routed firewall F1 has two interfaces – one in each network. These are 192.168.0.2 and 192.168.10.2
So C2 tries to communicate with the H1. C2 determines that the address of H1 is outside of its subnet so it sends the frame to its default gateway. The gateway sends the packet out to the internet and not to F1. The communication does not find H1.
The solution to this problem is to add a route to the gateway router. In Cisco IOS this would be
ip route 192.168.10.0 0.0.0.255 192.168.0.2
With Cisco ASA it can be configured through the web interface
with a Fortigate it can also be done through the web interface
This complexity is difficult but necessary to maximally protect the secure network from a compromise of the office network segment.