Showing results for 
Search instead for 
Did you mean: 


Hairpin public outside traffic to server on vpn tunnel

Need some assistance in how to configure ASA to allow hairpin of public Internet traffic across VPN tunnel.

I have a server with an IP of that sits behind an ASA with a VPN tunnel to another ASA with an outside public IP of I need to allow anyone coming in on the Intnernet to reach port 443 on the server via the public IP of

Currently, the only traffic mapped to the VPN tunnel between the ASA's is the network and then network.

How can I configure hairpin to allow public traffic on port 443 to reach this server?




Everyone's tags (3)
VIP Mentor

Re: Hairpin public outside traffic to server on vpn tunnel

This is quite challenging, but there are multiple options to solve that. You have to choose between a more complex setup of your network or some extra work of preparation.

Four ways to solve that in my preferred order when I had a task like this to do:

  1. Move the server to the main site. Your Network doesn't need any more adjustments.
  2. Place a reverse-proxy into the DMZ of your HQ, terminate the connection there and the reverse-proxy sends the request to the branch office.
  3. If the Branch has the same security controls as firewalling/IPS/DMZ and so on as the main site, then use one of the public IPs on the branch.
  4. Solving that within your VPN is complex as the VPN has to protect "any <-> Branch-Server" on the branch VPN. To make that less complex I would first change the VPN from crypto-maps to tunnel-interfaces and use PBR on the branch to route the server-traffic into the tunnel. But I would consider this a dirty workaround with too much complexity.