Cisco ASA 5510 site-to-site with PIX v6.3
Home > IT Answers > Security > Cisco ASA 5510 site-to-site with PIX v6.3
Madpawn
215 pts.
0
Q:
Cisco ASA 5510 site-to-site with PIX v6.3
ASA, PIX, VPN, DMZ, IPsec, Cisco ASA 5510, Cisco ASA, PIX 6.3, Cisco PIX
I've recently developed a need to connect 2 networks together. One network (PIX Network) is currently connected to another network (DOMAIN 1) already via IPSEC site-to-site VPN. The other (ASA) is connected to many other sites via IPSEC site-to-site VPN and is those sites main domain server (DNS, DHCP, File, ext...)

PIX site is not a member of a domain, but uses DOMAIN 1's file server to do work.

I need to connect the PIX and ASA network together by IPSEC site-to-site VPN, normally this would be a no brainier and would go down without a hitch, but there is a small problem in all of this. ASA and DOMAIN 1 have the same ip schema and the main assets PIX needs to use reside at the same ip on both networks. this is where my problem comes in.

PIX needs to be able to access DOMAIN 1's file server which resides at 192.168.0.1 and ASA's file server which also resides at 192.168.0.1 on it's network at the same time.

I was thinking I could some how setup a DMZ on ASA and only allow access to the DMZ to the PIX network. this would eliminate the ip conflicts of the file servers and PIX would be able to work on both at the same time.

The problem is I do not know how to go about this on the ASA network. it has an ASA5510, but no DMZ is currently setup on it and I can not find in ASDM where to set it up at, nor do I know how to do it in CLI. Also is there a way for the DMZ interface to work through my external Vlan 1?

Once the ASA side is setup I'm unsure how to configure the PIX side of this.
ASKED: Jul 31 2009  7:29 PM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
RELATED QUESTIONS
0
BlankReg
11270 pts.
0
A:
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
  • AddThis Social Bookmark Button
I say change the IP schema on the PIX side. If you are on DHCP, that makes it very easy for the clients. Then all you have to worry about is the no-brainer VPN. Hope his helps.


=============================================================================

Changing the schema is easily said, but difficult to achieve in a lot of circumstances. A much easier way, and all under your control, is to just NAT the IP address of the server, and of the source network.

Then the server just thinks it is talking to a different subnet, and the users access the remote server on a new IP address. The VPN access list is then configured to use these natted addresses rather than the 'real' ones.

I do this all the time, looking after a VPN netowrk with about 30 remote sites (Customers), and many of them have the same IP address schema. Using NAT hides all of this from the users, they just think there are many different subnets, and the ASA does the rest (with a little help from my config !).

Blank_Reg
Last Answered: Aug 1 2009  7:53 AM GMT by BlankReg   11270 pts.
Latest Contributors: Mshen   23535 pts.
  •   
0
0
RSS - Discussions Help
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Madpawn   215 pts.  |   Aug 6 2009  6:07PM GMT

I really need to keep the IP’s the same… is there a way to do a vpn access through DMZ on the ASA5510 side?

 

BlankReg   11270 pts.  |   Aug 7 2009  9:46AM GMT

Use NAT, and both address schemes stay the same, each site then thinks it is accessing different IP addresses at the remote site. No need for the DMZ, which wouldn’t fix it anyway. The VPN traffic is what you need to NAT, (both source and destination).

 
0