Cisco ASA 5510 site-to-site with PIX v6.3

220 pts.
Cisco ASA
Cisco PIX
PIX 6.3
I've recently developed a need to connect 2 networks together. One network (PIX Network) is currently connected to another network (DOMAIN 1) already via IPSEC site-to-site VPN. The other (ASA) is connected to many other sites via IPSEC site-to-site VPN and is those sites main domain server (DNS, DHCP, File, ext...) PIX site is not a member of a domain, but uses DOMAIN 1's file server to do work. I need to connect the PIX and ASA network together by IPSEC site-to-site VPN, normally this would be a no brainier and would go down without a hitch, but there is a small problem in all of this. ASA and DOMAIN 1 have the same ip schema and the main assets PIX needs to use reside at the same ip on both networks. this is where my problem comes in. PIX needs to be able to access DOMAIN 1's file server which resides at and ASA's file server which also resides at on it's network at the same time. I was thinking I could some how setup a DMZ on ASA and only allow access to the DMZ to the PIX network. this would eliminate the ip conflicts of the file servers and PIX would be able to work on both at the same time. The problem is I do not know how to go about this on the ASA network. it has an ASA5510, but no DMZ is currently setup on it and I can not find in ASDM where to set it up at, nor do I know how to do it in CLI. Also is there a way for the DMZ interface to work through my external Vlan 1? Once the ASA side is setup I'm unsure how to configure the PIX side of this.

Answer Wiki

Thanks. We'll let you know when a new response is added.

I say change the IP schema on the PIX side. If you are on DHCP, that makes it very easy for the clients. Then all you have to worry about is the no-brainer VPN. Hope his helps.


Changing the schema is easily said, but difficult to achieve in a lot of circumstances. A much easier way, and all under your control, is to just NAT the IP address of the server, and of the source network.

Then the server just thinks it is talking to a different subnet, and the users access the remote server on a new IP address. The VPN access list is then configured to use these natted addresses rather than the ‘real’ ones.

I do this all the time, looking after a VPN netowrk with about 30 remote sites (Customers), and many of them have the same IP address schema. Using NAT hides all of this from the users, they just think there are many different subnets, and the ASA does the rest (with a little help from my config !).


Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Madpawn
    I really need to keep the IP's the same... is there a way to do a vpn access through DMZ on the ASA5510 side?
    220 pointsBadges:
  • BlankReg
    Use NAT, and both address schemes stay the same, each site then thinks it is accessing different IP addresses at the remote site. No need for the DMZ, which wouldn't fix it anyway. The VPN traffic is what you need to NAT, (both source and destination).
    12,325 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: