Team,
 
As of now, customer is using vSphere Client loaded onto a Windows PC on the same Local Area Network (LAN) as that of ESXi host to manage it.  However, in actual deployment customer will not be having a Windows PC available locally to manage the ESXi host.  The Windows PC and the ESXi host are assigned with addresses from private IP blocks - for example, 192.168.80.0/24.
 
The host router is configured to do Network Address Translation (NAT), more precisely Port Address Translation (PAT) so that these private addresses are reachable from outside using a single public IP address assigned by the service provider for Internet connectivity.  
 
For example, the CIMC is assigned with the private IP address 192.168.80.2/24 with the default-gateway of 192.168.80.1 (Router's interface IP address on VLAN 80).  The router is connected to the Internet using the public IP address 64.81.251.106.
Also, the router is configured with the following PAT configuration:
 
ip nat inside source static tcp 192.168.80.2 80 64.81.251.106 61080

ip nat inside source static tcp 192.168.80.2 443 64.81.251.106 61443



So, that an user from the Internet can access the CIMC web UI, by using https://64.81.251.106:61443
 
PAT can be used to provide remote access to the CIMC using HTTP, HTTPS, or SSH.
 
However, the ESXi host is controlled by the vSphere Client application that does seem to use many TCP/UDP ports such that we could not come up with a PAT configuration for managing it remotely.
 
Please let me know if you have best-practise documentation on effectively managing the ESXi host (Hypervisor) remotely in situations that involve IP NAT.
 
Thank you,
John

Bret,
 
Thank you for your input.  Please find attached the router configuration.
 
I have the following IP PAT configuration:

!
!  For the bare metal Server management (CIMC) Access.  CIMC IP address is 192.168.80.2 /24.
!  Ports 80 (HTTP) and 443 (HTTPS) are used for Port Address Translation (PAT).
!
ip nat inside source static tcp 192.168.80.2 80 192.168.1.71 61080 extendable
ip nat inside source static udp 192.168.80.2 80 192.168.1.71 61080 extendable
ip nat inside source static tcp 192.168.80.2 443 192.168.1.71 61443 extendable
ip nat inside source static udp 192.168.80.2 443 192.168.1.71 61443 extendable
!
!  For ESXi host (Hypervisor) management access.  ESXi host IP address is 192.168.80.3 /24.
!  Ports 80, 443 and 902 are used for PAT.
!
ip nat inside source static tcp 192.168.80.3 80 192.168.1.71 62080 extendable
ip nat inside source static udp 192.168.80.3 80 192.168.1.71 62080 extendable
ip nat inside source static tcp 192.168.80.3 443 192.168.1.71 62443 extendable
ip nat inside source static udp 192.168.80.3 443 192.168.1.71 62443 extendable
ip nat inside source static tcp 192.168.80.3 902 192.168.1.71 62902 extendable
ip nat inside source static udp 192.168.80.3 902 192.168.1.71 62902 extendable
!
!  For Linux SUSE Server (Video Surveillance Manager) management access.  VSM IP address is 192.168.90.2 /24.
!  Ports 22 (SSH), and 80 (HTTP) are used for PAT.
!
ip nat inside source static tcp 192.168.90.2 22 192.168.1.71 63022 extendable
ip nat inside source static udp 192.168.90.2 22 192.168.1.71 63022 extendable
ip nat inside source static tcp 192.168.90.2 80 192.168.1.71 63080 extendable
ip nat inside source static udp 192.168.90.2 80 192.168.1.71 63080 extendable
!
!  Static routes for Internet access and local host access.
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 192.168.1.192 name Internet-Gateway
ip route 192.168.80.3 255.255.255.255 ucse4/0 name ESXi-Host
ip route 192.168.90.2 255.255.255.255 Vlan90 name VSM
!
!  Access-list used for dynamic NAT for other services like DNS, NTP, etc. 
!
ip access-list standard NAT-ACL
 remark IP Address Block to be NATed
 permit 192.168.80.0 0.0.0.255
 permit 192.168.90.0 0.0.0.255
!
ip nat inside source list NAT-ACL interface GigabitEthernet0/2 overload
!


Customer's default-gateway (192.168.1.192) is a Cisco Linksys Wireless Cable MODEM with the public IP address of 64.81.251.106.  Customer had configured the router's IP address (192.168.1.71) to belong to the DMZ - meaning all incoming connection requests for the public IP address 64.81.251.106 with specific ports will be directed to the router (192.168.1.71) performing the NAT.

For example, in order to access the CIMC Web UI from the Internet, one can use https://64.81.251.106:61443

Also, attaching vSphere Client access error screen capture.  Getting the same error for all ports - 80, 443, and 902.

Thank you for your help.

Regards,
John

Attachments:

Hello Bret,

Thank you for your email with the solution and all your help.
I realized that the command "ip nat inside" was missing under the interface ucse4/0 in my customer's configuration.  Also, customer had a few public IP addresses to spare so that we do not have to use Port Address Translation (PAT).

Please find attached a working configuration.


Regards,
John

Attachments: