Hairpin public outside traffic to server on vpn tunnel
Need some assistance in how to configure ASA to allow hairpin of public Internet traffic across VPN tunnel.
I have a server with an IP of 192.168.99.20 that sits behind an ASA with a VPN tunnel to another ASA with an outside public IP of 18.104.22.168. I need to allow anyone coming in on the Intnernet to reach port 443 on the server via the public IP of 22.214.171.124
Currently, the only traffic mapped to the VPN tunnel between the ASA's is the 192.168.99.0 network and then 192.168.1.0 network.
How can I configure hairpin to allow public traffic on port 443 to reach this server?
Re: Hairpin public outside traffic to server on vpn tunnel
This is quite challenging, but there are multiple options to solve that. You have to choose between a more complex setup of your network or some extra work of preparation.
Four ways to solve that in my preferred order when I had a task like this to do:
Move the server to the main site. Your Network doesn't need any more adjustments.
Place a reverse-proxy into the DMZ of your HQ, terminate the connection there and the reverse-proxy sends the request to the branch office.
If the Branch has the same security controls as firewalling/IPS/DMZ and so on as the main site, then use one of the public IPs on the branch.
Solving that within your VPN is complex as the VPN has to protect "any <-> Branch-Server" on the branch VPN. To make that less complex I would first change the VPN from crypto-maps to tunnel-interfaces and use PBR on the branch to route the server-traffic into the tunnel. But I would consider this a dirty workaround with too much complexity.
IntroductionComponentsISE ConfigurationEnd user perspective and Validation
Cisco Identity Services Engine (ISE) gives you intelligent Integrated protection through intent-based policy and compliance solution. ISE supports external MDM ...
This video provides the steps to configure the Cisco Threat Response (CTR) and ESA Integration.
This is live on the portal:https://video.cisco.com/video/6159336218001
And on YouTube:https://www.youtube.com/watch?v=UCKIdx5rdFg
I need to migrate from C170 to C190 and have already match to the same Firmware Version. I have a question. Is there any method that can export and import the configuration file instead of form cluster ?
This AMA will serve as the Q&A for the Cisco Live Digital breakout DGTL-BRKSEC-1011 - "A Challenger Appears: Defending Mailboxes in the Cloud" which covers a brand new product which will be announced during the event: Cloud Mailbox Defense.