ASA as Concentrator only / Return traffice going to PIX

Posted on 2008-11-11
Last Modified: 2012-05-05
Hey guys,

I have a network with two gateways.  A Cisco PIX, and a Cisco ASA.  Right now all the servers on this network are using the PIX as it's gateway.  The ASA is configured and setup on this same network, and clients can connect to VPN without any problem.  The problem is that return traffic is being sent to the PIX and not the ASA.  Is there a way to fix this without putting static routes on all the Servers?

Thanks much!
Question by:tonyPerry
    LVL 43

    Accepted Solution

    Not without using a router/layer3 switch on the inside of the network to make the routing decision.  

    Alternatively, if your PIX model supports it, you can connect the ASA to a free PIX interface and readdress the inside interface of the ASA.  All traffic can then use the PIX as the gateway and routing will work properly.  You would need to setup the appropriate access-lists and static's obviously.

    Option 3 is what you already know (add static routes to the servers).

    Author Comment

    Thats what i figured.  I think i will just add the routes to the servers, as that is easy enough.  

    I'm suprised Cisco didnt make the ASA's VPN capable only, like the concentrator's.  I thought that the concentrator's used 'proxy arp' in order to have return traffic routed back to them (without being a gateway address on remote devices), but that doesnt seem to work on the ASA's when enabled on the interfaces (default).  They did give the ASA's hairpin support, so if my gateway device was an ASA and not a PIX, then I could just simply add a static route.

    Anyways, thanks for the help.
    LVL 43

    Expert Comment

    Not so much with the static route approach as you will have the following for traffic from the client to server:

    ASA (client) to Server - SYN
    Server to PIX - SYN ACK

    The PIX never saw the SYN and therefore will deny the connection.  Return TCP traffic won't get back to the client.  UDP traffic will work but not TCP.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
    Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now