09-18-2014 07:21 AM - edited 03-11-2019 09:46 PM
Hi,
Following ports required to access ESXI host via vSphere client from outside WAN.
902 Incoming and outgoing TCP, outgoing UDP
443, 903 Incoming TCP
I have added IP NAT below on our Cisco 1800. Able to login to vSphere. however, unable to access virtual machine console, error "unable to connect to the MKS: could not connect to pipe"
Please help me to make additional changes in the router.
"ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source static tcp 172.168.168.22 443 x.x.x.x 443 extendable
ip nat inside source static tcp 172.168.168.22 902 x.x.x.x 902 extendable
ip nat inside source static udp 172.168.168.22 902 x.x.x.x 902 extendable
ip nat inside source static tcp 172.168.168.22 903 x.x.x.x 903 extendable
ip nat inside source static udp 172.168.168.22 903 x.x.x.x 903 extendable
!
access-list 100 permit ip any any"
09-18-2014 08:22 AM
I personally do not recommend port forwarding the ports of vSphere, security wise, it can be a breach in your system. To add on that, it inefficient.
To add, your port-forwarding statements are correct, but can you remove the "extendible" on them?
They might use ports w/c they shouldn't since you "extended" them.
I'm handling VMWare ESXi servers and port forwarding never does the trick. Its not the port-forwarding statements that has the issue, but the ESXi to vSphere KVM communication. It seems it can't handle NAT traversals/Translations w/c you are doing.
If you still desire to access it outside your network, try configuring your device for Remote access VPN
09-18-2014 10:19 PM
Please help me with the command to remove extendable.
09-18-2014 10:29 PM
Just simply negate them:
no ip nat inside source static tcp 172.168.168.22 443 x.x.x.x 443 extendable
no ip nat inside source static tcp 172.168.168.22 902 x.x.x.x 902 extendable
no ip nat inside source static udp 172.168.168.22 902 x.x.x.x 902 extendable
no ip nat inside source static tcp 172.168.168.22 903 x.x.x.x 903 extendable
no ip nat inside source static udp 172.168.168.22 903 x.x.x.x 903 extendable
once deleted, enter them again:
ip nat inside source static tcp 172.168.168.22 443 x.x.x.x 443
ip nat inside source static tcp 172.168.168.22 902 x.x.x.x 902
ip nat inside source static udp 172.168.168.22 902 x.x.x.x 902
ip nat inside source static tcp 172.168.168.22 903 x.x.x.x 903
ip nat inside source static udp 172.168.168.22 903 x.x.x.x 903
09-19-2014 06:15 AM
Have deleted, entered them and saved, I have run "show config" extendable got included at the end automatically.
Still unable to access virtual machine console.
09-19-2014 10:54 AM
Really? That's weird, it should not happen:
Anyway, the "extendable" is not an issue, it is just a feature when that port is used it will use another port, but in this case, that never happens
As I told you, this is an issue with the vSphere client, not your port forwarding statements. I have tried this myself, and NAT traversals does not go well with vSphere,
Check the VMWare forums, there are workarounds, but to put it "do it at your own risk"
09-19-2014 10:32 PM
Yup, I'II check VMWare forums.
Can you help me to configure VPN on this router? steps required.
Regards,
Hari
09-19-2014 11:00 PM
Does your router support SSL-VPN AnyConnect? It requires a license :)
Configuration wise: LINK
09-19-2014 11:06 PM
09-19-2014 11:11 PM
As I said, that is an issue with the vSphere traversing through NAT, it just doesn't seem to work
What does not work the the KVM console only.
You can do administrative settings and things like that, but you cant view the console
09-22-2014 01:15 AM
Router#copy tftp flash
Address or name of remote host []? 209.165.22.226
Source filename []? sslclient-win-1.0.2.127.pkg
Destination filename [sslclient-win-1.0.2.127.pkg]? sslclient-win-1.0.2.127.pkg
Accessing tftp://209.165.22.226/sslclient-win-1.0.2.127.pkg...
%Error opening tftp://209.165.22.226/sslclient-win-1.0.2.127.pkg (Timed out)
Router#
Getting above error, unable to browse tftp://209.165.22.226/ as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide