You can issue a single certificate for multiple names or addresses – just list all of them1 in the "Subject Alternative Name" field (aka subjectAltName or SAN). This is supported by all CAs nowadays, and doesn't require any special support from the web server.
I would also create a DNS entry for your web app, so that you could access it using a domain name. If your network uses DNS "views", then you could easily have the same domain name resolve to either the public address from outside, or the internal address from inside – the certificate would only need a single name, and you would only need to bookmark a single URL.
Finally, it sounds like a bad idea to allow any sort external access to your web app through port-forwarding at all. (Honestly, it sounds like a prime target for unwanted guests.) Avoiding port-forwarding and using a corporate VPN to reach the webapp remotely might be more secure and would avoid the issue of two different addresses, as you would always be accessing the internal address only.
1 Beware of several common mistakes when dealing with subjectAltName, especially if your CA runs on hand-rolled openssl
scripts...
The SAN field must include even the name that you've already put in the "CN=" field. (The two fields aren't combined automatically – when the certificate has a SAN list, browsers will just ignore the CN= attribute entirely.)
The SAN field has a distinction between DNS names and IP addresses – make sure your CA sets the correct type for each of the values. If you're using OpenSSL, use IP:1.2.3.4
instead of DNS:1.2.3.4
.