Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
0
Helpful
2
Replies

Network to Network access.

davbrew2005
Level 1
Level 1

‎12-09-2013 02:13 PM - edited ‎03-11-2019 08:15 PM

We have asa's at our hotels. We have a brand network and our local network. I am trying to get the 172 nw to access the opera server and back. The given us a port on their netgate to access the server and assigned it the 172.16.10.200 address. I had the sae configuration that you see now working and then we had to replace the asa and we can no longer get the connection to access the opera server. I have a host entry on all the workstations that use to access the server. any ideas?

Labels:
15372303-kyw_opera.txt.zip
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎12-09-2013 03:13 PM

Hi,

Do you mean that the gateway behind which the Opera network is found is supposed to be 172.16.10.200?

I am just wondering as your ASA has a route towards a gateway address of 172.16.10.221

Also I am kind of wondering how this setup has worked. It would seem to me to possibly be a setup with asymmetric routing. I mean your hosts on the network 172.16.10.0/24 probably use the ASA as their gateway and you have the network to which you need to connect through a gateway that is located in the same network.

To me it would seem that the connection forming would go like this

  • Host on the network 172.16.10.0/24 sends TCP SYN to Opera server through ASA (default gateway)
  • TCP SYN reaches the server and server replies but the TCP SYN ACK is sent back from the Opera gateway directly to the host
  • Host sends the TCP ACK to the ASA (default gateway) and ASA blocks it as it has not seen the TCP SYN ACK at any point

Atleast to me it would seem to be the situation but I might be wrong.

This situation is usually avoided by using TCP State Bypass.

But I am not sure what the actual problem is at the moment.

- Jouni

0 Helpful

davbrew2005
Level 1
Level 1
In response to Jouni Forss

‎12-09-2013 03:26 PM

The gateway is  172.16 10.221. Sorry about that.  We use to be able to access the opera server  through a browser at 10.170.195.12 but it no longer resolves after I replaced the asa. 172.16.10.221 is the address they assigned to the netgate port we plugged into.  All traffic from 172.16.10.0 going to the operaserver went through that port on their netgate.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card