Solved: Serving two hosts through port 443 SSL

Frank27 · ‎12-05-2021

This is the scenario :

A 1941 router needs to redirect port 443(SSL) to a web server inside the LAN port 3000 while another web server needs to be served on port 443-443 :

router 1941 ----> outside 443 inside 443

        =         ----> outside 443 inside 3000

Is this possible without changing the outside port?

paul driver · ‎12-05-2021

@Georg Pauwen wrote:

@paul driver I guess I am misreading the original post. Where would the outside2 come from ? ~~Are you suggesting to get an additional ISP connection,~~ or an additional public IP address from the existing ISP ?

Yes the latter, use an addtional inside global ip or use a different outside tcp port.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Frank27 · ‎12-05-2021

i found that the only solution is changing the outside port...

MHM Cisco World · ‎12-05-2021

if different IP you use for each NAT then it OK but same IP I don't think so.

balaji.bandi · ‎12-05-2021

No, you can do that instead use a different port

ip nat inside source static tcp x.x.x.x 443 y.y.y.y 443

ip nat inside source static tcp x.x.x.x 8443 z.z.z.z  3000

Another way is FQDN.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎12-05-2021

@balaji.bandi

Hello,

just out of curiosity, which device and IOS did you get this to work on ? Same outside address and same outside port, but different inside ports ? I get an error saying that the IP is already mapped...

balaji.bandi · ‎12-05-2021

any router does this work - I would suggest checking the syntax correctly before configuring ( sure 'miss-configuration' get that error)

ip nat inside source static tcp x.x.x.x 443 y.y.y.y 443

ip nat inside source static tcp x.x.x.x 8443 z.z.z.z  3000

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎12-05-2021

@balaji.bandi I think OP is asking the question because he wants to map both servers to the SAME outside IP address, not different ones.

Otherwise I guess he would not be asking the question to start out with...

balaji.bandi · ‎12-05-2021

No, you can do that instead use a different port

I do address OP's question and asked to use different methods, just for clarity here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎12-05-2021

@balaji.bandi

As I understood the question, it was if the below works:

ip nat inside source static tcp 192.168.1.10 443 212.12.10.243 443
ip nat inside source static tcp 192.168.1.11 3000 212.12.10.243 443

It doesn't work. I thought you got it to work, maybe on a different IOS version, that's why I was asking.

paul driver · ‎12-05-2021

@Frank27 wrote:

Is this possible without changing the outside port?

yes by changing the inside global address as stated by @balaji.bandi

Options I would say are:
1
router 1941 ----> outside1 443 inside1 443

        =         ----> outside1 3000 inside2 443
2
router 1941 ----> outside1 443 inside1 443

        =         ----> outside2 443 inside2 443
kind regards
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎12-05-2021

@paul driver I guess I am misreading the original post. Where would the outside2 come from ? Are you suggesting to get an additional ISP connection, or an additional public IP address from the existing ISP ?

paul driver · ‎12-05-2021

@Georg Pauwen wrote:

@paul driver I guess I am misreading the original post. Where would the outside2 come from ? ~~Are you suggesting to get an additional ISP connection,~~ or an additional public IP address from the existing ISP ?

Yes the latter, use an addtional inside global ip or use a different outside tcp port.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Frank27 · ‎12-05-2021

Yes , sorry i need to add some clarifications :

1) There is one static public ip in the WAN -- not two.

2) the LAN IPs are different but the scope of this question was doing it without mapping different external port

to recap :

x.x.x.x (Static public)--> 192.168.0.1 (webserver running CentOS)---> ext 443 int 443

                                --> 192.168.0.2 (wevserver running CentOS)---> ext 443 int 3000

this was the deal.. i make it work using a different external port for the second address like:




x.x.x.x (Static public)--> 192.168.0.1 (webserver running CentOS)---> ext 5000 int 443

                                --> 192.168.0.2 (wevserver running CentOS)---> ext 443 int 3000

balaji.bandi · ‎12-06-2021

yes that is what our suggestion.

or use FQDN.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎12-06-2021

@balaji.bandi What would an FQDN-based solution look like with regard to this specific issue ?