[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 319
  • Last Modified:

ASA as Concentrator only / Return traffice going to PIX

Hey guys,

I have a network with two gateways.  A Cisco PIX, and a Cisco ASA.  Right now all the servers on this network are using the PIX as it's gateway.  The ASA is configured and setup on this same network, and clients can connect to VPN without any problem.  The problem is that return traffic is being sent to the PIX and not the ASA.  Is there a way to fix this without putting static routes on all the Servers?

Thanks much!
  • 2
1 Solution
Not without using a router/layer3 switch on the inside of the network to make the routing decision.  

Alternatively, if your PIX model supports it, you can connect the ASA to a free PIX interface and readdress the inside interface of the ASA.  All traffic can then use the PIX as the gateway and routing will work properly.  You would need to setup the appropriate access-lists and static's obviously.

Option 3 is what you already know (add static routes to the servers).
tonyPerryAuthor Commented:
Thats what i figured.  I think i will just add the routes to the servers, as that is easy enough.  

I'm suprised Cisco didnt make the ASA's VPN capable only, like the concentrator's.  I thought that the concentrator's used 'proxy arp' in order to have return traffic routed back to them (without being a gateway address on remote devices), but that doesnt seem to work on the ASA's when enabled on the interfaces (default).  They did give the ASA's hairpin support, so if my gateway device was an ASA and not a PIX, then I could just simply add a static route.

Anyways, thanks for the help.
Not so much with the static route approach as you will have the following for traffic from the client to server:

ASA (client) to Server - SYN
Server to PIX - SYN ACK

The PIX never saw the SYN and therefore will deny the connection.  Return TCP traffic won't get back to the client.  UDP traffic will work but not TCP.

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now