Options

Static NAT to two servers using same port

MashMash
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

Hello team.
I have an office with a single public IP address. I have two servers inside with same port (192.168.1.100:443 and 192.168.1.200:443)
I need to do natting (port forwarding) using port 443 to two different servers from the outside public interface.

So I create two SNAT rule:

78.x.x.130 --> 192.168.1.100:443
78.x.x.130 --> 192.168.1.200:443

I created two Policies:

From: AnyExternal
Src Port: Any
To: 78.x.x.130
Dst Port: tcp:443

From: AnyExternal
Src Port: tcp: 8443
To: 78.x.x.130
Dst Port: tcp:443

But math only the first rule. What am I doing wrong in your opinion?

Thanks a lot.

Comments

  • Options
    kimmo.pohjoisahokimmo.pohjoisaho

    For the second server, you need to first create a new custom policy for port TCP 8443.

    Then a S.NAT policy where “Set internal port to different port” is 443

    the inbound policy’s should look like this.

    to connect to the first srv, the address is: https://78.x.x.13
    and when connecting to the second srv the address is: https://78.x.x.13:8443

  • Options
    MashMash

    Thank you.
    I hadn't changed the port in the policy to 8443. :smile:

    @kimmo.pohjoisaho said:
    For the second server, you need to first create a new custom policy for port TCP 8443.

    Then a S.NAT policy where “Set internal port to different port” is 443

    the inbound policy’s should look like this.

    to connect to the first srv, the address is: https://78.x.x.13
    and when connecting to the second srv the address is: https://78.x.x.13:8443

  • Options
    Bruce_BriggsBruce_Briggs

    An option for having more that 1 internal web site using a single public IP addr is using a HTTPS proxy, use a HTTPS Server proxy action, and you can specify Domain Name and route based on the domain name in the URL.

    See the Routing Actions and Content Actions section here:
    HTTPS-Proxy: Domain Name Rules
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/https/https_domain_names_c.html

  • Options
    MilosMilos

    @Bruce_Briggs said:
    An option for having more that 1 internal web site using a single public IP addr is using a HTTPS proxy, use a HTTPS Server proxy action, and you can specify Domain Name and route based on the domain name in the URL.

    See the Routing Actions and Content Actions section here:
    HTTPS-Proxy: Domain Name Rules
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/https/https_domain_names_c.html

    Hi Bruce, i tried your suggestion. We have VPN on port 4443, and we have some services like xxx.domain.com, yyy.domain.com on port 443, with only one public ip, when if i put our VPN on same port, i broke vpn fqdn.
    Is there a way to use 1 public ip with same port (443) if there is a VPN over the top? I hope i explain it well :smile:

  • Options
    Bruce_BriggsBruce_Briggs

    No, you can't have incoming client VPN connections using TCP port 443 while also having 1 or more internal web servers being accessed from the Internal on TCP port 443.
    The reason is that incoming client VPN connections using TCP port 443 need to go to the firewall interface, however you already have TCP port 443 being forwarded to 1 or more internal web servers.

Sign In to comment.