I have a small office network with a single public IP address. Currently we have a static nat for port 443 for the VPN. We just received new software that requires the server the software is on to be listening on port 443 across the internet. Thus, essentially I need to do natting (port forwarding) using port 443 to two different servers.
I believe that the usual way to accomplish this would be to have the second natting use a different public facing port, natted to 443 on the inside of the network (like using port 80 and 8080 for http). But, if the software company says that it must use port 443, is there any other way to go about this? If, for example, I know the IP address that the remote server will be connecting to our local server on, is there any way to add the source IP address into the rule? Could it work like, any port 443 traffic also from x.x.x.x, forward to local machine 192.168.0.2. Forward all other port 443 traffic not from x.x.x.x to 192.168.0.3.
Any help would be very much appreciated.
Using the same public/mapped port on software levels 8.2 and below would be impossible. Only one rule could apply. I think the Cisco FWSM accepts the second command while the ASA to my understanding simply rejects the second "static" statement with ERROR messages.
On the software levels 8.3 and above you have a chance to build a rule for the same public/mapped port WHEN you know where the connections to the other overlapping public/mapped port is coming from. This usually is not the case for public services but in your situation I gather you know the source address where connections to this server are going to come from?
I have not used this in production and would not wish to do so. I have only done a simple test in the past for a CSC user. I tested mapping port TCP/5900 for VNC twice while defining the source addresses the connections would be coming from in the "nat" configuration (8.4 software) and it seemed to work. I am not all that certain is this a stable solution. I would imagine it could not be recomended for a production environment setup.
But nevertheless its a possibility.
So you would need the newer software on your firewall but I am not sure what devce you are using and what software its using.
This function is called static policy NAT and was available between 7.2 and 8.2 even on PIX's.
access-list H2 permit tcp host 192.168.0.2 eq 443 x.x.x.0 255.255.255.0
static (inside,outside) tcp 188.8.131.52 443 access-list H2
access-list H3 permit tcp host 192.168.0.3 eq 443 y.y.0.0 255.255.0.0static (inside,outside) tcp 184.108.40.206 443 access-list H3
access-list H3 permit tcp host 192.168.0.3 eq 443 z.z.0.0 255.255.0.0
Unfortunately you cannot use deny statements in the ACLs so it may take time to construct H3 to cover a sufficiently big part of the Internet. You can test 'any' too.
I agree, from 8.3 it is much more convenient and I would not be afraid to use it. What is your ASA version?