Hairpin public outside traffic to server on vpn tunnel

Markalen · ‎09-26-2018

Need some assistance in how to configure ASA to allow hairpin of public Internet traffic across VPN tunnel.

I have a server with an IP of 192.168.99.20 that sits behind an ASA with a VPN tunnel to another ASA with an outside public IP of 100.1.1.1. I need to allow anyone coming in on the Intnernet to reach port 443 on the server via the public IP of 100.1.1.1

Currently, the only traffic mapped to the VPN tunnel between the ASA's is the 192.168.99.0 network and then 192.168.1.0 network.

How can I configure hairpin to allow public traffic on port 443 to reach this server?

Karsten Iwen · ‎09-27-2018

This is quite challenging, but there are multiple options to solve that. You have to choose between a more complex setup of your network or some extra work of preparation.

Four ways to solve that in my preferred order when I had a task like this to do:

Move the server to the main site. Your Network doesn't need any more adjustments.
Place a reverse-proxy into the DMZ of your HQ, terminate the connection there and the reverse-proxy sends the request to the branch office.
If the Branch has the same security controls as firewalling/IPS/DMZ and so on as the main site, then use one of the public IPs on the branch.
Solving that within your VPN is complex as the VPN has to protect "any <-> Branch-Server" on the branch VPN. To make that less complex I would first change the VPN from crypto-maps to tunnel-interfaces and use PBR on the branch to route the server-traffic into the tunnel. But I would consider this a dirty workaround with too much complexity.