Port Forwarding – Configure Port 443 to Forward Requests to Different Servers

router

I have this situation. There are two servers on my network. I don't know why. It's just the way it has been set up. The first server (Server1) has a local ip of 192.168.0.2 and the second one (Server2) has a local ip of 192.168.0.200. On the router, there is a configuration in port forwarding that a request for port 443 will be forwarded to Server1. However, now I need to host my website on Server2 (I can't host it on Server1) and I bought the ssl certificate and installed it. But any requests for https will be forwarded to Server1 as port 443 is the default one when the router see https. How could I solve this problem? My network team opened a new port for me 4430 so I can access my site using https://www.example.com:4430. However, I don't think it's practical for my users. Is there a configuration in port forwarding that I can set for port 443 on the router to determine which server the request should go to? For example changing the protocol and so on. Thanks.

Best Answer

There are basically three possible solutions to this sort of problem all of them have their pros and cons.

Multiple public IP addresses (and a router that can handle those addresses appropriately).
A http proxy, your proxy accepts the connection, terminates the ssl/tls and forwards the decrypted traffic (possibly re-encrypting it) based on the http headers.
A SNI proxy, your proxy accepts the connection but does not decrypt it, it uses the SNI extension in the TLS headers to decide where to forward it to. Downside here is that this only works with modern clients.

Related Solutions

Cisco Router – Forwarding Path Information to pfSense and Vice Versa

Since Router 1 is on an outside interface of Router 2, it will not be able to originate traffic to the inside of Router 2. You have configured inside source NAT on Router 2, and this is one-way. Addresses are translated from the inside to the outside. When traffic is originated from the inside, NAT creates a table entry in order for responding traffic to be translated, but it has no table entry for traffic originated from the outside.

Running NAT on links where you are running a routing protocol is a very bad idea.

Edit based on your updated information:

If you need or want the firewall to know about the routes on the other side of Router 2, you will need to somehow get the routes into the firewall's routing table, otherwise any traffic for the unknown networks will be sent toward the default route for the firewall, and that should be the WAN.

A router, including the routing process of your firewall, needs to have a route in its routing table for any network to which it is expected to forward traffic. A default route can be used to encompass all networks, and any more specific routes in the routing table are used. Since your firewall's routing table has no routes to the networks on the other side of Router 2, it will use its default route.

You can configure your firewall to participate in OSPF with your two routers, and that will place those routes in the firewall's routing table. It will also let you originate the default route into OSPF from the firewall, and then you should remove that from the other routers.

The other, less desirable, solution is to manually configure static routes in your firewall for the networks to which it has no direct connection. This doesn't scale, and when you add, remove, or change those networks, you will need to manually change the static routes in the firewall.

Cisco Router ACL – Deny Access to Host on Port 8080, Allow on 80

You should craft an ACL for one direction. Don't put the same ACL on every interface in both directions.

The general ACL rules:

An extended ACL has both the source and destination addresses. It should be placed inbound on the source interface where the source address is. This prevents the denied traffic from being routed at all.
A standard ACL doesn't have the destination address, only the source address. It should be placed outbound on the interface where the destination address is. This means the traffic will be routed, but it prevents the ACL from affecting too much traffic.

Your extended ACL 100 should only be on the router's interface for the VLAN with 192.168.1.0 (per your comment, VLAN 20) as an inbound ACL:

interface Vlan20
 ip access-group 100 in

This will immediately drop any TCP traffic coming into the router from 192.168.1.0/24 destined to 192.168.0.2:8080, preventing the router from having to route that traffic. It will allow ICMP echos and other TCP traffic to 192.168.0.2, but it will deny all other traffic (ACLs have an implicit deny any any as the last statement. You should probably change the ACL so that it will permit all other traffic, unless you really only want to allow hosts on that VLAN to ping and use all other TCP only with 192.168.0.2. The hosts on that VLAN will not be able to get to any other VLAN, except with ping.

Best Answer

Related Solutions

Cisco Router – Forwarding Path Information to pfSense and Vice Versa

Cisco Router ACL – Deny Access to Host on Port 8080, Allow on 80

Related Topic