Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
0
Helpful
10
Replies

yes

phariraja
Level 1
Level 1

‎09-18-2014 07:21 AM - edited ‎03-11-2019 09:46 PM

Hi,

Following ports required to access ESXI host via vSphere client from outside WAN.

902 Incoming and outgoing TCP, outgoing UDP

443, 903 Incoming TCP

I have added IP NAT below on our Cisco 1800. Able to login to vSphere. however, unable to access virtual machine console, error "unable to connect to the MKS: could not connect to pipe" 

Please help me to make additional changes in the router.

"ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source static tcp 172.168.168.22 443 x.x.x.x  443 extendable
ip nat inside source static tcp 172.168.168.22 902 x.x.x.x  902 extendable
ip nat inside source static udp 172.168.168.22 902 x.x.x.x  902 extendable
ip nat inside source static tcp 172.168.168.22 903 x.x.x.x  903 extendable
ip nat inside source static udp 172.168.168.22 903 x.x.x.x  903 extendable
!
access-list 100 permit ip any any"

Labels:
0 Helpful
10 Replies 10

LJ Gabrillo
Level 5
Level 5

‎09-18-2014 08:22 AM

I personally do not recommend port forwarding the ports of vSphere, security wise, it can be a breach in your system. To add on that, it inefficient.

To add, your port-forwarding statements are correct, but can you remove the "extendible" on them?
They might use ports w/c they shouldn't since you "extended" them.

 

I'm handling VMWare ESXi servers and port forwarding never does the trick. Its not the port-forwarding statements that has the issue, but the ESXi to vSphere KVM communication. It seems it can't handle NAT traversals/Translations w/c you are doing.


If you still desire to access it outside your network, try configuring your device for Remote access VPN
 

0 Helpful

phariraja
Level 1
Level 1
In response to LJ Gabrillo

‎09-18-2014 10:19 PM

Please help me with the command to remove extendable.

0 Helpful

LJ Gabrillo
Level 5
Level 5
In response to phariraja

‎09-18-2014 10:29 PM

Just simply negate them:

no ip nat inside source static tcp 172.168.168.22 443 x.x.x.x  443 extendable
no ip nat inside source static tcp 172.168.168.22 902 x.x.x.x  902 extendable
no ip nat inside source static udp 172.168.168.22 902 x.x.x.x  902 extendable
no ip nat inside source static tcp 172.168.168.22 903 x.x.x.x  903 extendable
no ip nat inside source static udp 172.168.168.22 903 x.x.x.x  903 extendable

once deleted, enter them again:

ip nat inside source static tcp 172.168.168.22 443 x.x.x.x  443
ip nat inside source static tcp 172.168.168.22 902 x.x.x.x  902 
ip nat inside source static udp 172.168.168.22 902 x.x.x.x  902 
ip nat inside source static tcp 172.168.168.22 903 x.x.x.x  903 
ip nat inside source static udp 172.168.168.22 903 x.x.x.x  903

0 Helpful

phariraja
Level 1
Level 1
In response to LJ Gabrillo

‎09-19-2014 06:15 AM

Have deleted, entered them and saved, I have run "show config" extendable got included at the end automatically.

Still unable to access virtual machine console.

 

0 Helpful

LJ Gabrillo
Level 5
Level 5
In response to phariraja

‎09-19-2014 10:54 AM

Really? That's weird, it should not happen:
Anyway, the "extendable" is not an issue, it is just a feature when that port is used it will use another port, but in this case, that never happens

As I told you, this is an issue with the vSphere client, not your port forwarding statements. I have tried this myself, and NAT traversals does not go well with vSphere,

Check the VMWare forums, there are workarounds, but to put it "do it at your own risk"

0 Helpful

phariraja
Level 1
Level 1
In response to LJ Gabrillo

‎09-19-2014 10:32 PM

Yup, I'II check VMWare forums.

Can you help me to configure VPN on this router? steps required.

Regards,

Hari

0 Helpful

LJ Gabrillo
Level 5
Level 5
In response to phariraja

‎09-19-2014 11:00 PM

Does your router support SSL-VPN AnyConnect? It requires a license :)

Configuration wise: LINK

0 Helpful

phariraja
Level 1
Level 1
In response to phariraja

‎09-19-2014 11:06 PM

FYI

Please find screen shot attached.

Preview file
29 KB
0 Helpful

LJ Gabrillo
Level 5
Level 5
In response to phariraja

‎09-19-2014 11:11 PM

As I said, that is an issue with the vSphere traversing through NAT, it just doesn't seem to work

What does not work the the KVM console only.
You can do administrative settings and things like that, but you cant view the console

0 Helpful

phariraja
Level 1
Level 1
In response to LJ Gabrillo

‎09-22-2014 01:15 AM

Router#copy tftp flash
Address or name of remote host []? 209.165.22.226
Source filename []? sslclient-win-1.0.2.127.pkg
Destination filename [sslclient-win-1.0.2.127.pkg]? sslclient-win-1.0.2.127.pkg
Accessing tftp://209.165.22.226/sslclient-win-1.0.2.127.pkg...
%Error opening tftp://209.165.22.226/sslclient-win-1.0.2.127.pkg (Timed out)
Router#

Getting above error, unable to browse tftp://209.165.22.226/ as well.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card