How to remotely manage the ESXi Host (Hypervisor)?

Version 1
    This document was generated from CDN thread

    Created by: John Devavaram on 06-09-2012 02:38:12 PM
    Team,
     
    As of now, customer is using vSphere Client loaded onto a Windows PC on the same Local Area Network (LAN) as that of ESXi host to manage it.  However, in actual deployment customer will not be having a Windows PC available locally to manage the ESXi host.  The Windows PC and the ESXi host are assigned with addresses from private IP blocks - for example, 192.168.80.0/24.
     
    The host router is configured to do Network Address Translation (NAT), more precisely Port Address Translation (PAT) so that these private addresses are reachable from outside using a single public IP address assigned by the service provider for Internet connectivity.  
     
    For example, the CIMC is assigned with the private IP address 192.168.80.2/24 with the default-gateway of 192.168.80.1 (Router's interface IP address on VLAN 80).  The router is connected to the Internet using the public IP address 64.81.251.106.
    Also, the router is configured with the following PAT configuration:
     
    ip nat inside source static tcp 192.168.80.2 80 64.81.251.106 61080

    ip nat inside source static tcp 192.168.80.2 443 64.81.251.106 61443



    So, that an user from the Internet can access the CIMC web UI, by using https://64.81.251.106:61443
     
    PAT can be used to provide remote access to the CIMC using HTTP, HTTPS, or SSH.
     
    However, the ESXi host is controlled by the vSphere Client application that does seem to use many TCP/UDP ports such that we could not come up with a PAT configuration for managing it remotely.
     
    Please let me know if you have best-practise documentation on effectively managing the ESXi host (Hypervisor) remotely in situations that involve IP NAT.
     
    Thank you,
    John

    Subject: RE: How to remotely manage the ESXi Host (Hypervisor)?
    Replied by: Brett Tiller on 07-09-2012 07:44:18 PM
    Hi John,

    Using PAT the ports you'll need to manage for the vSphere Client are 902, 443, and 80.  However, the challenge may also be that the translated IP address will be the one you've assigned to the host via the DCUI.  You may need to also translate the UCSE IP as well which is the IP assigned to the imc in the ucse interface.  Please make sure you've accounted for each port in your translation, and if that doesn't work, please include your router configuration with your response.

    Thanks,

    Brett

    Subject: RE: How to remotely manage the ESXi Host (Hypervisor)?
    Replied by: John Devavaram on 07-09-2012 08:30:13 PM
    Bret,
     
    Thank you for your input.  Please find attached the router configuration.
     
    I have the following IP PAT configuration:

    !
    !  For the bare metal Server management (CIMC) Access.  CIMC IP address is 192.168.80.2 /24.
    !  Ports 80 (HTTP) and 443 (HTTPS) are used for Port Address Translation (PAT).
    !
    ip nat inside source static tcp 192.168.80.2 80 192.168.1.71 61080 extendable
    ip nat inside source static udp 192.168.80.2 80 192.168.1.71 61080 extendable
    ip nat inside source static tcp 192.168.80.2 443 192.168.1.71 61443 extendable
    ip nat inside source static udp 192.168.80.2 443 192.168.1.71 61443 extendable
    !
    !  For ESXi host (Hypervisor) management access.  ESXi host IP address is 192.168.80.3 /24.
    !  Ports 80, 443 and 902 are used for PAT.
    !
    ip nat inside source static tcp 192.168.80.3 80 192.168.1.71 62080 extendable
    ip nat inside source static udp 192.168.80.3 80 192.168.1.71 62080 extendable
    ip nat inside source static tcp 192.168.80.3 443 192.168.1.71 62443 extendable
    ip nat inside source static udp 192.168.80.3 443 192.168.1.71 62443 extendable
    ip nat inside source static tcp 192.168.80.3 902 192.168.1.71 62902 extendable
    ip nat inside source static udp 192.168.80.3 902 192.168.1.71 62902 extendable
    !
    !  For Linux SUSE Server (Video Surveillance Manager) management access.  VSM IP address is 192.168.90.2 /24.
    !  Ports 22 (SSH), and 80 (HTTP) are used for PAT.
    !
    ip nat inside source static tcp 192.168.90.2 22 192.168.1.71 63022 extendable
    ip nat inside source static udp 192.168.90.2 22 192.168.1.71 63022 extendable
    ip nat inside source static tcp 192.168.90.2 80 192.168.1.71 63080 extendable
    ip nat inside source static udp 192.168.90.2 80 192.168.1.71 63080 extendable
    !
    !  Static routes for Internet access and local host access.
    !
    ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 192.168.1.192 name Internet-Gateway
    ip route 192.168.80.3 255.255.255.255 ucse4/0 name ESXi-Host
    ip route 192.168.90.2 255.255.255.255 Vlan90 name VSM
    !
    !  Access-list used for dynamic NAT for other services like DNS, NTP, etc. 
    !
    ip access-list standard NAT-ACL
     remark IP Address Block to be NATed
     permit 192.168.80.0 0.0.0.255
     permit 192.168.90.0 0.0.0.255
    !
    ip nat inside source list NAT-ACL interface GigabitEthernet0/2 overload
    !


    Customer's default-gateway (192.168.1.192) is a Cisco Linksys Wireless Cable MODEM with the public IP address of 64.81.251.106.  Customer had configured the router's IP address (192.168.1.71) to belong to the DMZ - meaning all incoming connection requests for the public IP address 64.81.251.106 with specific ports will be directed to the router (192.168.1.71) performing the NAT.

    For example, in order to access the CIMC Web UI from the Internet, one can use https://64.81.251.106:61443

    Also, attaching vSphere Client access error screen capture.  Getting the same error for all ports - 80, 443, and 902.

    Thank you for your help.

    Regards,
    John

    Subject: RE: How to remotely manage the ESXi Host (Hypervisor)?
    Replied by: Brett Tiller on 21-09-2012 07:43:43 PM
    Hi John,

    My apologies for taking so long to get back to you.  I've tested remote access via NAT/PAT in my lab and was able to make it work.  I took it as far as being able to log into the ESXi host via the client.  When logging in via the vSphere client no port specification is necessary because the PAT translations in your router will manage that.  I logged into the ESXi host from the vSphere client using IP 172.25.209.199.  I assigned the corresponding private IP 192.168.1.83 to the ESXi host from the DCUI which is accessed by the CIMC KVM.  I used the IP 172.25.209.198 to access the CIMC Web pages via my browser.  The corresponding private IP is 192.168.1.82 .

    I've provided a snippet of my router configuration below.

    interface GigabitEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
    ip address 192.168.1.80 255.255.255.0
    ip nat inside

    interface GigabitEthernet0/1
    ip address 172.25.209.145 255.255.255.0
    ip nat outside

    interface ucse2/0
    ip unnumbered GigabitEthernet0/0
    ip nat inside
    ip virtual-reassembly in
    imc ip address 192.168.1.82 255.255.255.0 default-gateway 192.168.1.80
    imc access-port shared-lom console

    interface ucse2/1
    description Internal switch interface connected to Service Module
    switchport mode trunk
    no ip address

    ip nat inside source list 1 interface GigabitEthernet0/1 overload
    ip nat inside source static tcp 192.168.1.82 443 interface GigabitEthernet0/1 443
    ip nat inside source static tcp 192.168.1.82 80 interface GigabitEthernet0/1 80
    #port 2068 is for KVM access
    ip nat inside source static tcp 192.168.1.82 2068 interface GigabitEthernet0/1 2068

    #For access to the ESXi host.  Recall that the IP 192.168.1.83 must be assigned via DCUI accessable by KVM
    ip nat inside source static tcp 192.168.1.83 80 172.25.209.199 80 extendable
    ip nat inside source static tcp 192.168.1.83 443 172.25.209.199 443 extendable
    ip nat inside source static tcp 192.168.1.83 902 172.25.209.199 902 extendable

    ip route 0.0.0.0 0.0.0.0 172.25.209.129
    ip route 192.168.1.82 255.255.255.255 ucse2/0
    ip route 192.168.1.83 255.255.255.255 ucse2/0

    access-list 1 permit 192.168.1.0 0.0.0.255


    Hope this helps,

    Brett

    Subject: RE: How to remotely manage the ESXi Host (Hypervisor)?
    Replied by: John Devavaram on 26-09-2012 01:06:42 PM
    Hello Bret,

    Thank you for your email with the solution and all your help.
    I realized that the command "ip nat inside" was missing under the interface ucse4/0 in my customer's configuration.  Also, customer had a few public IP addresses to spare so that we do not have to use Port Address Translation (PAT).

    Please find attached a working configuration.


    Regards,
    John