Hairpin public outside traffic to server on vpn tunnel
Need some assistance in how to configure ASA to allow hairpin of public Internet traffic across VPN tunnel.
I have a server with an IP of 192.168.99.20 that sits behind an ASA with a VPN tunnel to another ASA with an outside public IP of 184.108.40.206. I need to allow anyone coming in on the Intnernet to reach port 443 on the server via the public IP of 220.127.116.11
Currently, the only traffic mapped to the VPN tunnel between the ASA's is the 192.168.99.0 network and then 192.168.1.0 network.
How can I configure hairpin to allow public traffic on port 443 to reach this server?
Re: Hairpin public outside traffic to server on vpn tunnel
This is quite challenging, but there are multiple options to solve that. You have to choose between a more complex setup of your network or some extra work of preparation.
Four ways to solve that in my preferred order when I had a task like this to do:
Move the server to the main site. Your Network doesn't need any more adjustments.
Place a reverse-proxy into the DMZ of your HQ, terminate the connection there and the reverse-proxy sends the request to the branch office.
If the Branch has the same security controls as firewalling/IPS/DMZ and so on as the main site, then use one of the public IPs on the branch.
Solving that within your VPN is complex as the VPN has to protect "any <-> Branch-Server" on the branch VPN. To make that less complex I would first change the VPN from crypto-maps to tunnel-interfaces and use PBR on the branch to route the server-traffic into the tunnel. But I would consider this a dirty workaround with too much complexity.
Community Live Slides- How to optimize your Cisco Security investments with Threat Response
(Live event - formerly known as Webcast- Tuesday February 18, 2020 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris)
This event will have place on Tuesday 18th, ...
Two main issues I am facing as part of ISE guest access POC lab.On any device on first attempt connections works smooth. However, if I disconnect and reconnect the SSID, its repeatedly giving "Couldn't get an IP address" or "No internet connection" on con...
Microsoft published a security advisory providing guidance to increase the security for communications between LDAP clients and Active Directory domain controllers. The document introduced the use of LDAP channel binding and ...
Hi, Hoping someone can help. I am getting the following error message when trying to connect to Cisco any connect: Cisco connection attempt has failed due to network or PC issue.Does anyone know how to solve this issue?
Dear all,can you please share, based on your experience, how should looks like an Endpoint Purge Policy? I would like to Purge all the Endpoints that didn't authenticate during the last 6 months, for example. Thanks,M.