Administer the VM Server

Unanswered Question
Apr 17th, 2010

We have an ASA 5510 and the a VMware server ESX at the remote location.  The only way to get to the remote location is to login to VPN client.  Is there a way to setup so that we are at the Main office can use the VSphere software to do administration on the VM server without logging in to the VPN client first?  For example, my computer at the Main office IP address is and I want to be able to open Vsphere software from my computer to do administration on the VM server ( at the remote location.  What do I need to do at the ASA?  Please let me know if you need to see the config.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Sat, 04/17/2010 - 15:41


You say the only way to get to the remote office is with the VPN client. Is this because there is a security restriction or policy?

By your description, you are trying to communicate to a public IP address (it is not mandatory to use VPN)

If there are no security policies preventing clear-text Internet access to the remote office, you should be able to reach the remote office without establishing the VPN connection.

VPN in fact is to protect the communication.


debra-brown Sat, 04/17/2010 - 19:33

Thanks for your prompt response and information, Federico. I apologize for giving you wrong information.  The VM server has an internal private IP address (  The natted public IP address is  Thanks.


Federico Coto F... Sat, 04/17/2010 - 20:48

There's no way you can reach a private IP address through the Internet.

There are programs that establish a session to a remote computer (having a private IP), but you cannot route packets over the Internet to reach a private IP.

This is why you need a VPN connection to be able to communicate between the sites.

Why don't you want to establish the VPN tunnel to communicate with the server?

If for example, you have a Site-to-Site tunnel between both sites, you can talk to the server without having any VPN client. You will talk to server like it is right next to you and you won't even notice there's a VPN established.


debra-brown Sat, 04/17/2010 - 21:24

Thanks for your prompt response and input, Federico.  Looks like the only solution at this point is to setup Site-to-Site VPN which I have not done it before.  Since I was able to SSH to the Remote site to do the administration on the ASA, I thought maybe there is a command that I can setup on the ASA that would allow me to do the administration on the VM server remotely.  Do you have the information on how to setup Site-to-Site VPN?



Federico Coto F... Sat, 04/17/2010 - 21:38

We have two solutions:

1. Create a STATIC PAT configuration on the ASA (port redirection), to redirect incoming traffic on a public IP to the private IP of the VM server.

For example, if you want to reach the server via RDP (TCP port 3389), then you create the following rule on the ASA:

static (in,out) tcp 3389 3389

Just replace 3389 with the correct port number that you will use to administer the server remotely.

2. Establish a Site-to-Site VPN so that you can access the server via its real private IP:


debra-brown Sat, 04/17/2010 - 21:55

Thanks very much for your prompt response and information.  I will try your suggestions and let you know on Monday.



debra-brown Mon, 04/19/2010 - 13:08


FYI, I was not able to open VSphere client.  I got the error message "Vsphere client could not connect with the VCenter Server "  Details:  a connection failure occured (unable to connect to the remote server)".  Here are my commands that I used:

static (in,out) tcp 443 443
static (in,out) tcp 901 901
static (in,out) tcp 902 902

Thanks very much for your help.


Federico Coto F... Mon, 04/19/2010 - 13:19

But you mentioned the private IP is and the public IP is

If this is the case, then you can access the server using its public IP on the port required.

For example, to create an HTTPS connection to the server, you need the following:

static (in,out) tcp 443 443

Then, from the client side, you connect via HTTPS to

The receiving ASA will translate the request and send it to to port 443.

In this way you can access the server from the Internet without a VPN tunnel.

For this to work, you need to make sure there are no ACLs blocking 443 along the path.



This Discussion