ASA as Concentrator only / Return traffice going to PIX

Hey guys,

I have a network with two gateways.  A Cisco PIX, and a Cisco ASA.  Right now all the servers on this network are using the PIX as it's gateway.  The ASA is configured and setup on this same network, and clients can connect to VPN without any problem.  The problem is that return traffic is being sent to the PIX and not the ASA.  Is there a way to fix this without putting static routes on all the Servers?

Thanks much!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Not without using a router/layer3 switch on the inside of the network to make the routing decision.  

Alternatively, if your PIX model supports it, you can connect the ASA to a free PIX interface and readdress the inside interface of the ASA.  All traffic can then use the PIX as the gateway and routing will work properly.  You would need to setup the appropriate access-lists and static's obviously.

Option 3 is what you already know (add static routes to the servers).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tonyPerryAuthor Commented:
Thats what i figured.  I think i will just add the routes to the servers, as that is easy enough.  

I'm suprised Cisco didnt make the ASA's VPN capable only, like the concentrator's.  I thought that the concentrator's used 'proxy arp' in order to have return traffic routed back to them (without being a gateway address on remote devices), but that doesnt seem to work on the ASA's when enabled on the interfaces (default).  They did give the ASA's hairpin support, so if my gateway device was an ASA and not a PIX, then I could just simply add a static route.

Anyways, thanks for the help.
Not so much with the static route approach as you will have the following for traffic from the client to server:

ASA (client) to Server - SYN
Server to PIX - SYN ACK

The PIX never saw the SYN and therefore will deny the connection.  Return TCP traffic won't get back to the client.  UDP traffic will work but not TCP.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.