topic yes in Network Security

yes

phariraja — Tue, 12 Mar 2019 04:46:50 GMT

Hi,

Following ports required to access ESXI host via vSphere client from outside WAN.

902 Incoming and outgoing TCP, outgoing UDP

443, 903 Incoming TCP

I have added IP NAT below on our Cisco 1800. Able to login to vSphere. however, unable to access virtual machine console, error "unable to connect to the MKS: could not connect to pipe"

Please help me to make additional changes in the router.

"ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source static tcp 172.168.168.22 443 x.x.x.x 443 extendable
ip nat inside source static tcp 172.168.168.22 902 x.x.x.x 902 extendable
ip nat inside source static udp 172.168.168.22 902 x.x.x.x 902 extendable
ip nat inside source static tcp 172.168.168.22 903 x.x.x.x 903 extendable
ip nat inside source static udp 172.168.168.22 903 x.x.x.x 903 extendable
!
access-list 100 permit ip any any"

I personally do not recommend

LJ Gabrillo — Thu, 18 Sep 2014 15:22:45 GMT

I personally do not recommend port forwarding the ports of vSphere, security wise, it can be a breach in your system. To add on that, it inefficient.

To add, your port-forwarding statements are correct, but can you remove the "extendible" on them?
They might use ports w/c they shouldn't since you "extended" them.

I'm handling VMWare ESXi servers and port forwarding never does the trick. Its not the port-forwarding statements that has the issue, but the ESXi to vSphere KVM communication. It seems it can't handle NAT traversals/Translations w/c you are doing.

If you still desire to access it outside your network, try configuring your device for Remote access VPN

Please help me with the

phariraja — Fri, 19 Sep 2014 05:19:38 GMT

Please help me with the command to remove extendable.

Just simply negate them:no ip

LJ Gabrillo — Fri, 19 Sep 2014 05:29:54 GMT

Just simply negate them:

no ip nat inside source static tcp 172.168.168.22 443 x.x.x.x 443 extendable
no ip nat inside source static tcp 172.168.168.22 902 x.x.x.x 902 extendable
no ip nat inside source static udp 172.168.168.22 902 x.x.x.x 902 extendable
no ip nat inside source static tcp 172.168.168.22 903 x.x.x.x 903 extendable
no ip nat inside source static udp 172.168.168.22 903 x.x.x.x 903 extendable

once deleted, enter them again:

ip nat inside source static tcp 172.168.168.22 443 x.x.x.x 443
ip nat inside source static tcp 172.168.168.22 902 x.x.x.x 902
ip nat inside source static udp 172.168.168.22 902 x.x.x.x 902
ip nat inside source static tcp 172.168.168.22 903 x.x.x.x 903
ip nat inside source static udp 172.168.168.22 903 x.x.x.x 903

Have deleted, entered them

phariraja — Fri, 19 Sep 2014 13:15:42 GMT

Have deleted, entered them and saved, I have run "show config" extendable got included at the end automatically.

Still unable to access virtual machine console.

Really? That's weird, it

LJ Gabrillo — Fri, 19 Sep 2014 17:54:09 GMT

Really? That's weird, it should not happen:
Anyway, the "extendable" is not an issue, it is just a feature when that port is used it will use another port, but in this case, that never happens

As I told you, this is an issue with the vSphere client, not your port forwarding statements. I have tried this myself, and NAT traversals does not go well with vSphere,

Check the VMWare forums, there are workarounds, but to put it "do it at your own risk"

Yup, I'II check VMWare forums

phariraja — Sat, 20 Sep 2014 05:32:37 GMT

Yup, I'II check VMWare forums.

Can you help me to configure VPN on this router? steps required.

Regards,

Hari

Does your router support SSL

LJ Gabrillo — Sat, 20 Sep 2014 06:00:00 GMT

Does your router support SSL-VPN AnyConnect? It requires a license 🙂

Configuration wise: LINK

FYIPlease find screen shot

phariraja — Sat, 20 Sep 2014 06:06:39 GMT

FYI

Please find screen shot attached.

As I said, that is an issue

LJ Gabrillo — Sat, 20 Sep 2014 06:11:57 GMT

As I said, that is an issue with the vSphere traversing through NAT, it just doesn't seem to work

What does not work the the KVM console only.
You can do administrative settings and things like that, but you cant view the console

Router#copy tftp flashAddress

phariraja — Mon, 22 Sep 2014 08:15:23 GMT

Router#copy tftp flash
Address or name of remote host []? 209.165.22.226
Source filename []? sslclient-win-1.0.2.127.pkg
Destination filename [sslclient-win-1.0.2.127.pkg]? sslclient-win-1.0.2.127.pkg
Accessing tftp://209.165.22.226/sslclient-win-1.0.2.127.pkg...
%Error opening tftp://209.165.22.226/sslclient-win-1.0.2.127.pkg (Timed out)
Router#

Getting above error, unable to browse tftp://209.165.22.226/ as well.