Administer the VM Server

Unanswered Question
Apr 17th, 2010
User Badges:

We have an ASA 5510 and the a VMware server ESX at the remote location.  The only way to get to the remote location is to login to VPN client.  Is there a way to setup so that we are at the Main office can use the VSphere software to do administration on the VM server without logging in to the VPN client first?  For example, my computer at the Main office IP address is 66.102.7.10 and I want to be able to open Vsphere software from my computer to do administration on the VM server (109.66.25.80) at the remote location.  What do I need to do at the ASA?  Please let me know if you need to see the config.


Thanks.


Debra

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sat, 04/17/2010 - 15:41
User Badges:
  • Green, 3000 points or more

Hi,


You say the only way to get to the remote office is with the VPN client. Is this because there is a security restriction or policy?

By your description, you are trying to communicate to a public IP address (it is not mandatory to use VPN)


If there are no security policies preventing clear-text Internet access to the remote office, you should be able to reach the remote office without establishing the VPN connection.


VPN in fact is to protect the communication.


Federico.

debra-brown Sat, 04/17/2010 - 19:33
User Badges:

Thanks for your prompt response and information, Federico. I apologize for giving you wrong information.  The VM server has an internal private IP address (192.168.100.25).  The natted public IP address is 109.66.25.80.  Thanks.


Debra

Federico Coto F... Sat, 04/17/2010 - 20:48
User Badges:
  • Green, 3000 points or more

There's no way you can reach a private IP address through the Internet.

There are programs that establish a session to a remote computer (having a private IP), but you cannot route packets over the Internet to reach a private IP.


This is why you need a VPN connection to be able to communicate between the sites.


Why don't you want to establish the VPN tunnel to communicate with the server?

If for example, you have a Site-to-Site tunnel between both sites, you can talk to the server without having any VPN client. You will talk to server like it is right next to you and you won't even notice there's a VPN established.


Federico.

debra-brown Sat, 04/17/2010 - 21:24
User Badges:

Thanks for your prompt response and input, Federico.  Looks like the only solution at this point is to setup Site-to-Site VPN which I have not done it before.  Since I was able to SSH to the Remote site to do the administration on the ASA, I thought maybe there is a command that I can setup on the ASA that would allow me to do the administration on the VM server remotely.  Do you have the information on how to setup Site-to-Site VPN?


Thanks.


Debra

Federico Coto F... Sat, 04/17/2010 - 21:38
User Badges:
  • Green, 3000 points or more

We have two solutions:


1. Create a STATIC PAT configuration on the ASA (port redirection), to redirect incoming traffic on a public IP to the private IP of the VM server.

For example, if you want to reach the server via RDP (TCP port 3389), then you create the following rule on the ASA:


static (in,out) tcp 109.66.25.80 3389 192.168.100.25 3389


Just replace 3389 with the correct port number that you will use to administer the server remotely.


2. Establish a Site-to-Site VPN so that you can access the server via its real private IP:


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/site2sit.html


Federico.

debra-brown Sat, 04/17/2010 - 21:55
User Badges:

Thanks very much for your prompt response and information.  I will try your suggestions and let you know on Monday.


Thanks.


Debra

debra-brown Mon, 04/19/2010 - 13:08
User Badges:

Federico,


FYI, I was not able to open VSphere client.  I got the error message "Vsphere client could not connect with the VCenter Server "192.168.100.25.  Details:  a connection failure occured (unable to connect to the remote server)".  Here are my commands that I used:


static (in,out) tcp 109.66.25.80 443 10.10.10.1 443
static (in,out) tcp 109.66.25.80 901 10.10.10.1 901
static (in,out) tcp 109.66.25.80 902 10.10.10.1 902


Thanks very much for your help.


Debra

Federico Coto F... Mon, 04/19/2010 - 13:19
User Badges:
  • Green, 3000 points or more

But you mentioned the private IP is 192.168.100.25 and the public IP is 109.66.25.80

If this is the case, then you can access the server using its public IP on the port required.


For example, to create an HTTPS connection to the server, you need the following:


static (in,out) tcp 109.66.25.80 443 192.168.100.25 443


Then, from the client side, you connect via HTTPS to 109.66.25.80

The receiving ASA will translate the request and send it to 192.168.100.25 to port 443.

In this way you can access the server from the Internet without a VPN tunnel.


For this to work, you need to make sure there are no ACLs blocking 443 along the path.


Federico.

Actions

This Discussion