https://community.cisco.com/t5/network-security/network-to-network-access/m-p/2383627#M307403 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Do you mean that the gateway behind which the Opera network is found is supposed to be 172.16.10.200?</P><P></P><P>I am just wondering as your ASA has a route towards a gateway address of 172.16.10.221</P><P></P><P>Also I am kind of wondering how this setup has worked. It would seem to me to possibly be a setup with asymmetric routing. I mean your hosts on the network 172.16.10.0/24 probably use the ASA as their gateway and you have the network to which you need to connect through a gateway that is located in the same network.</P><P></P><P>To me it would seem that the connection forming would go like this</P><UL><LI>Host on the network 172.16.10.0/24 sends TCP SYN to Opera server through ASA (default gateway)</LI><LI>TCP SYN reaches the server and server replies but the TCP SYN ACK is sent back from the Opera gateway directly to the host</LI><LI>Host sends the TCP ACK to the ASA (default gateway) and ASA blocks it as it has not seen the TCP SYN ACK at any point</LI></UL><P></P><P>Atleast to me it would seem to be the situation but I might be wrong.</P><P></P><P>This situation is usually avoided by using TCP State Bypass.</P><P></P><P>But I am not sure what the actual problem is at the moment.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 09 Dec 2013 23:13:13 GMT Jouni Forss 2013-12-09T23:13:13Z https://community.cisco.com/t5/network-security/network-to-network-access/m-p/2383626#M307400 <P>We have asa's at our hotels. We have a brand network and our local network. I am trying to get the 172 nw to access the opera server and back. The given us a port on their netgate to access the server and assigned it the 172.16.10.200 address. I had the sae configuration that you see now working and then we had to replace the asa and we can no longer get the connection to access the opera server. I have a host entry on all the workstations that use to access the server. any ideas?</P> Tue, 12 Mar 2019 03:15:05 GMT https://community.cisco.com/t5/network-security/network-to-network-access/m-p/2383626#M307400 davbrew2005 2019-03-12T03:15:05Z https://community.cisco.com/t5/network-security/network-to-network-access/m-p/2383627#M307403 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Do you mean that the gateway behind which the Opera network is found is supposed to be 172.16.10.200?</P><P></P><P>I am just wondering as your ASA has a route towards a gateway address of 172.16.10.221</P><P></P><P>Also I am kind of wondering how this setup has worked. It would seem to me to possibly be a setup with asymmetric routing. I mean your hosts on the network 172.16.10.0/24 probably use the ASA as their gateway and you have the network to which you need to connect through a gateway that is located in the same network.</P><P></P><P>To me it would seem that the connection forming would go like this</P><UL><LI>Host on the network 172.16.10.0/24 sends TCP SYN to Opera server through ASA (default gateway)</LI><LI>TCP SYN reaches the server and server replies but the TCP SYN ACK is sent back from the Opera gateway directly to the host</LI><LI>Host sends the TCP ACK to the ASA (default gateway) and ASA blocks it as it has not seen the TCP SYN ACK at any point</LI></UL><P></P><P>Atleast to me it would seem to be the situation but I might be wrong.</P><P></P><P>This situation is usually avoided by using TCP State Bypass.</P><P></P><P>But I am not sure what the actual problem is at the moment.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 09 Dec 2013 23:13:13 GMT https://community.cisco.com/t5/network-security/network-to-network-access/m-p/2383627#M307403 Jouni Forss 2013-12-09T23:13:13Z https://community.cisco.com/t5/network-security/network-to-network-access/m-p/2383628#M307404 <HTML><HEAD></HEAD><BODY><P>The gateway is&nbsp; 172.16 10.221. Sorry about that.&nbsp; We use to be able to access the opera server&nbsp; through a browser at 10.170.195.12 but it no longer resolves after I replaced the asa. 172.16.10.221 is the address they assigned to the netgate port we plugged into.&nbsp; All traffic from 172.16.10.0 going to the operaserver went through that port on their netgate. </P></BODY></HTML> Mon, 09 Dec 2013 23:26:33 GMT https://community.cisco.com/t5/network-security/network-to-network-access/m-p/2383628#M307404 davbrew2005 2013-12-09T23:26:33Z