Hairpin public outside traffic to server on vpn tunnel
Need some assistance in how to configure ASA to allow hairpin of public Internet traffic across VPN tunnel.
I have a server with an IP of 192.168.99.20 that sits behind an ASA with a VPN tunnel to another ASA with an outside public IP of 184.108.40.206. I need to allow anyone coming in on the Intnernet to reach port 443 on the server via the public IP of 220.127.116.11
Currently, the only traffic mapped to the VPN tunnel between the ASA's is the 192.168.99.0 network and then 192.168.1.0 network.
How can I configure hairpin to allow public traffic on port 443 to reach this server?
Re: Hairpin public outside traffic to server on vpn tunnel
This is quite challenging, but there are multiple options to solve that. You have to choose between a more complex setup of your network or some extra work of preparation.
Four ways to solve that in my preferred order when I had a task like this to do:
Move the server to the main site. Your Network doesn't need any more adjustments.
Place a reverse-proxy into the DMZ of your HQ, terminate the connection there and the reverse-proxy sends the request to the branch office.
If the Branch has the same security controls as firewalling/IPS/DMZ and so on as the main site, then use one of the public IPs on the branch.
Solving that within your VPN is complex as the VPN has to protect "any <-> Branch-Server" on the branch VPN. To make that less complex I would first change the VPN from crypto-maps to tunnel-interfaces and use PBR on the branch to route the server-traffic into the tunnel. But I would consider this a dirty workaround with too much complexity.
Setting up some 3rd party devices for my Fire and Rescue trucks that will VPN back to our FPR-2110. I can blatantly see what's going on with the IKEv2 platform and protocol debugs on. It's selecting the wrong dynamic map!IKEv2-PLAT-4: (32): Cry...
On January 22, 2020, the Cisco Product Security Incident Response Team (PSIRT) disclosed a vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC). The vulnerability could allow an unauthenticated, remote attac...
Meet the Authors Event - A Cybersecurity Deep Dive with Omar Santos
(Live event – Thursday, January 23rd, 2020 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 7:00 p.m. Paris)
This event will have place on Thursday 23rd, January 2020 at 10hrs PDT
Posting this for anyone interested in using a Raspberry PI as a flow collector for Stealthwatch. We created a very lightweight version of our software. It can create flows if the eth port is attached to a SPAN or you can forward NetFlow/IPFIX ...