[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1918
  • Last Modified:

I have a problem pinging from laptop to my VMware virtual machine. need help

I have installed a Virtual machine which is a server 2008 on top of my host machine.

My virtual machine is behind NAT which the VMWare DHCP service gave the machine the ip of 192.168.120.72.

my host machines ip is 192.168.1.68 which my routers DHCP gave, and i can ping from host machine to virtual machine and vice versa successfuly.

I can even ping the DNS of the server from host machine.

but what i cant do is to ping from my laptop to the IP of my virtual machine which is 192.168.120.72.

I can ping from the virtual machine to the laptops IP.

my laptops IP is 192.168.1.65. I can still ping my hosts IP but cant ping the 192.168.120.72.

why is that?   I did ipconfig/flush dns and tried to add static routes but didnt help.

I also dont have any firewall on my laptop or on the virtual server.

i disabled the windows firewall completely.

is it because the virtual machines IP is on different subnet or something??

is there any solution?


thanks.
0
johnsar
Asked:
johnsar
  • 23
  • 11
  • 8
  • +2
1 Solution
 
johnsarAuthor Commented:
but i did. i said that i did.

i added the following routes on my laptop using CMD:

route ADD 192.168.120.0 MASK 255.255.255.0 192.168.1.254

route ADD 192.168.120.0 MASK 255.255.255.0 192.168.120.2

but didnt help.

the default gateway of the Virtual machine is 192.168.120.2.

am i missing something??
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
When a computer on the external network attempts to initiate a connection with a virtual machine on the NAT network, it cannot reach it because the NAT device does not forward the request. Network connections that are initiated from outside the NAT network are not transparent.

Only requests that come from a computer on the NAT network, can reach the outside network.

However, it is possible to manually configure port forwarding on the NAT device so network traffic destined for a certain port can still be automatically forwarded to a virtual machine on the NAT network. For details, see Advanced NAT Configuration below.

You would need to use Advanced NAT

http://www.vmware.com/support/ws3/doc/ws32_network21.html
see this URL for details

 
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
or you could used Bridged Networking Mode. If you want to use NAT, you need to use Advanced NAT.
0
 
johnsarAuthor Commented:
Ok. But i need to add the ports to forward it for NAT.

but since i cant ping the virtual machine. I have to be able to forward the ICMP packets.

i dont think ICMP uses any ports to  function.

in that case, what should i add?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
if you require to ping, I would use Bridged. (and the VMs) will then be on your hosts network.
0
 
johnsarAuthor Commented:
i require to ping to find out if my virtual machine is reachable or not.

so i have to ping.

but in the Ports field, i wonder what port number should i put for port forwarding on the vmware NAT so i can ping from my laptop??

to forward icmp packets.
0
 
johnsarAuthor Commented:
i want to use NAT. any suggestions??
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
what are yor exact requirements?
0
 
bgoeringCommented:
It is not possible to forward icmp packets to a vm on a NAT network. The ping command uses the icmp type echo packet which cannot be forwarded. You can only port forward tcp or udp ports. That being said it is possible to test if a machine is reachable by  using another tool such as portqry (http://support.microsoft.com/kb/310099) from Microsoft. To test reachability just forward a tcp port to a port that should be listening (and not firewalled) on your vm - then from your external machine use the portqry tool to test reachability to that port. To forward the port open the Virtual Network Editor on Workstation and select vmnet8 (NAT) - there you will find an option to configure tcp/udp port forwarding.

Good Luck
0
 
johnsarAuthor Commented:
bgoering: so what you mean is that the virtual machine which is behind NAT can still be reachable from an external network, even though it cant be pinged due to NAT not being possible to forward the ICMP packets?????

but i can forward DNS which is on port 53. right??
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
yes, that is correct, just no pings, all other tcp and udp ports.

0
 
johnsarAuthor Commented:
i want to be able to use the DNS of my dns server on Virtual machine from the external machine, use Remote Desktop Connection to vmware and also to be a member of the domain.

what would be the necessary ports to forward in this case on Vmware NAT????
0
 
bgoeringCommented:
Yes, forward both tcp and udp port 53 to your vm. UDP is required for dns lookups, tcp is occasionally required for other functions (such as zone transfers). You will only need udp 53 if you are only wanting to use it as a dns server for lookups.
0
 
johnsarAuthor Commented:
what if i want to use RDC to vmware ?

also to join the domain?

any ports for those?
0
 
bgoeringCommented:
ever hit submit too soon? You need tcp 3389 for rdp to your guest vm.

Now for domain authentication it gets a bit more involved. For all functions you pretty much need to open a bunch of ports. At a minimum:

Global Catalog Server TCP 3269
Global Catalog Server TCP 3268
LDAP Server TCP 389
LDAP Server UDP 389
LDAP SSL TCP 636
LDAP SSL UDP 636
IPsec ISAKMP UDP 500
NAT-T UDP 4500
RPC TCP 135
RPC randomly allocated high TCP ports TCP 1024 - 65535 (Windows XP, 2000, 2003)
RPC randomly allocated high TCP ports TCP 49152 - 65535 (Vista, 2008 and up)
 
See http://support.microsoft.com/kb/832017 for a comprehensive list of ports used by Windows. If you are running a domain controller I would seriously consider using bridged networking rather than NAT networking..
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
You would have to port forward ALL those ports your require.

e.g. RDC/RDP - TCP 3389

That's why I asked what your requirements were, because it's quite a mssive under taking to forward all those ports to a VM, or multipe VM.

NAT is NAT, and there's nothing special about it, in the way VMware implement it. It's primarily designed to allow network machines behind NAT, communicate via NAT with the External Network.

Bridged maybe easier for you. But you have your own reasons for wanting to use NAT.
0
 
johnsarAuthor Commented:
I will be using Bridged if i cant get NAT to work.

I want to use NAT if possible because of its extra security.

Ok. in NAT settings of WMware where you port forward, there is a section called Host port and VMware machine port.

What does it mean by Host port?

can i put any random port there?

lets say i want to be able to use RDC to the virtual server which is on my host machine from my laptop, so i have to port forward 3389 TCP on vmware NAT.

in this case, what should i put as the Host port?

because i am not using RDC from the host, i will be using my laptop to RDC to the virtual server.

0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
host port is a port number you use to perform the mapped port forward.

e.g. host port 4700 - vm port 3389

just make sure the host port is free and not in use
0
 
bgoeringCommented:
Typically host and vm port are the same - and that will  work OK for dns and remote desktop assuming you are not running a dns server or running rdp on your host machine. If either of those are the case you would have to use different ports - this would be port translation. For example use 3389 on the vm and 3390 on the host because 3389 is already in use because you may want to rdp to the host.

So much is required that I couldn't in good conscious recommend you use NAT for a domain controller If your host that you are running workstaion on is also a Windows box. You MIGHT get away with it if you are running workstation on Linux, but if your host machine is also windows there will be a lot of conflicts. If that is the case use bridged, and depend on the host firewall on your domain controller vm.
0
 
johnsarAuthor Commented:
RDC is not working from my laptop. it works from the host but not from my laptop.

i port forwarded the port 3384 on my router to the host machine and also port forwarded the 3389 on the vmware NAT but still not working.

Host port is :3384, vmware ip is : 192.168.120.72   vmware poty is : 3389 in vmware NAT and also my router NAT settings.

my laptop ip is 192.168.1.67.

I can RDC to my hosts public ip which is 119.224.87.59.

any ideas why i cant still RDC to virtual server???
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
if you try telnet host ip address 3384

do you getba connection, becuause this should port forward to the vm port 3389
0
 
johnsarAuthor Commented:
I dont have telnet but i used Putty to connect to my hosts ip which is a public IP given by the router after i portforwarded on the router to 3384.

it connects but stays there. i dont get any message or anything. but it stays connected.

my hosts ip is now 119.224.87.59 which is a public routeable IP.

0
 
johnsarAuthor Commented:
This is strange, I could manage to remotely login to my virtual server but not directly.

I could remotely login to my hosts machine via its public IP, and then from there I managed to remotely login to the virtual server Internal IP address which is 192.168.120.72 using the username and domain name and password and it was sussecful!!!!!

is this normal?

is this how its supposed to work when beind NAT??????
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
have you got port forwards on your public ip?

if you can establish a telnet session to port 3384, then that port is listening, and is possibly being port forwarded correctly, just stop port forwarding to confirm that putty should not connect.

0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
when you are on the host server, this is correct.

but if you are on the external network, you will need to use advanced nat.

what are you trying to achieve, reach this vm from the external network, from the public network beyond the router
?
0
 
bgoeringCommented:
I guess you are running something like this:

client(192.168.1.67) -> Router -> Internet -> (119.224.87.72)Router -> host -> vm

In this case the client is on a different network connecting over the internet to the public ip of the router on port 3384. In turn is that getting forwarded to your host on 3384? And is the NAT forwarding 3384 to the vm on port 3389?

Or is it some different setup completely? If it is all set up as I assume then you should be able to open the remote desktop app on the client and connect to 119.224.87.72:3384. Check each step along the way making sure you are not trying to use a port that is already in use and that you are doing the port translation properly at both the router and the NAT config for vmware.
0
 
johnsarAuthor Commented:
bgoering: i took screenshots of my NAT setting of my router where i portwarded for RDC.

http://img689.imageshack.us/f/rdcfi.jpg/

http://img402.imageshack.us/f/rdc2.jpg/

My laptop isnt being port forwarded at all on my router, the only ethernet port that is being port forwarded is the one in which the Host machine connected to.

So my Host machine is being port forwarded by the router.

I had to assign the Host machine a public IP address before doing any portforwarding for it.

as you can see in the below screenshot.
http://img21.imageshack.us/f/publicip.jpg/

This is the way my modem/router does for port forwarding.

so the IP of the Host machine is now 119.224.87.59 given by the router automatically.

my laptop ip is given my the router DHCP which is 192.168.1.67.

and the virtual machine Internal static IP is set to 192.168.120.72 by the Vmware NAT.

So thats my setup.

But heres the thing. I just remove the NAT setting on my Vmware NAT for RDC but i CAN still remotely login  to Hosts machine and from there login to Virtual server!!!!!

how is it possible?

and I cant telnet to port 3384 on 119.224.87.59 anymore. the connection just goes away. doesnt stay connected. but i can still remotely login.

you think is this because of my router doing the port forwarding or something????
0
 
johnsarAuthor Commented:
or maybe i shouldnt do any port forwarding on my router at all if i dont want to remotely connect over the internet and just do it on VMware NAT settings to make it work only locally???

what do you think????

Does the router make any conflicts right now????
0
 
johnsarAuthor Commented:
well.

i removed those 2 NAT entries on my router, after that i could still login to Host pc and from there to virtual server. so those entries had to affect from the beggining obviously.

So I gave up and added another NIC card for the virtual server and I made it a Bridged network while having another NIC card which is NAT.

now i have 2 NIC cards and i can ping the DNS and the new IP of the server which is 192.168.1.70.

but i still like to find out why the port forwarding for RDC doesnt work for me on NAT adapter???

i did everything.

how my network secure now with 2 different adapter on the server?

Am i exposed to attackes now when i added a Bridged adapter ????
0
 
johnsarAuthor Commented:
LOL. things look better now.

I can finally ping the NAT ip 192.168.120.72 and can also directly RDC  that IP now.

On the virtual server i installed Routing and enabled RIPv2 routing for the Bridge and NAT adapters and now its working.

so is this a good solution???????
0
 
azeempatelCommented:
On your VM you should have 2 LAN Cards

1. Will be for VLAN to which you want to connect to other VMs

2. This LAN card has to be HOST (Configuration > LAN Card > Properties > Change from VLAN to HOST) - This will communicate with  your local machine.
Your this VM and laptop should be on same subnet.
in some cases you will have to install microsoft loop back adapter and do not configure.
0
 
johnsarAuthor Commented:
azeem: where is the Configuration ----> LAN Card----> Properties ????

i use Vmware Workstation 7.0

by Host you mean choose a Network card which is Host only???

I dont see any VLAN.
0
 
azeempatelCommented:
Yes  Click on VM Machine > Properties > Network > In this you can add remove components so Add a new LAN card and from frop down select Host only.
0
 
johnsarAuthor Commented:
Ok. so what would be another NIC card to add?

you said VLAN. but i cant see anything called VLAN.

you mean the NAT NIC card?
0
 
azeempatelCommented:
No use host only option - forget about VLAN option
0
 
johnsarAuthor Commented:
so 1 Host only NIC card or two????

if i want to be able to talk to all clients in my network.
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
All seems overly complicated.

NAT versus Bridged Security.

NAT is slighly Safer, when you dont open up all the
ports for advanced NAT.

you should use a good firewall anyway
0
 
johnsarAuthor Commented:
I can now ping my NAT ip and also resolve the DNS from the NAT IP on my laptop.

but it took me alot of time to figure out.

i had to install Routing on my virtual server, changed the DNS related entries on the DNS server so that everytime i pinged the domain name it points it to the NAT IP not the Bridged network IP, also had to manually add a route on my laptop and made the gateway to be the IP of  my second NIC card on my virtual server which is Bridged card. lol.....


I had to manually add a route on my laptop to: route ADD 192.168.120.0 MASK 255.255.255.0 192.168.1.70  and after that i could ping the NAT IP.

and i didnt do any port forwarding.

i just dont understand why 192.168.1.70 became the gateway to the NAT network.

i didnt specify anywhere that 192.168.1.70 to be the gateway.
 
does anyone know?

also i have to keep the Routing server running at the same time to make it work.
0
 
azeempatelCommented:
In virtual Station Option and there is a DHCP server for for NAT and HOST adapter
0
 
johnsarAuthor Commented:
NAT is very complicated and confusing. spent 3 days on NAT so far.
0
 
bgoeringCommented:
It does seem a bit complicated. The reason the port forwarding didn't work is because you "assigned a public ip" to your host thus making it a "DMZ" host on your internal network. By doing that the host is isolated from the other hosts on your network, and specific port forwarding rules don't apply. You can only do one or the other - make it a DMZ host OR port forward specific ports (with or without port translation) to individual machines.

Your best bet would be to turn off that DMZ (assign a public IP) feature on your Technicolor DSL modem/router unless you for some reason need your host to be fully and completely accessable on the Internet. Instead just let the router give it an address on your internal network like it gives your laptop an address. Now only port forward ports for whatever services you wish to expose to the Internet to your host. For example, if you are running a webserver on your host, then port forward the webserver port 80 so that only that port is accessable from the Internet.

At this point your vmware host machine and your laptop will be on the same 192.168.x.x network and able to communicate freely with one another, and only services that you wish to expose to the Internet will be exposed by port forwarding rules. That has to be much more secure than the way you have it with the DMZ host!

Get rid of routing and ras, get rid of the 2nd NIC, refer back to previous posts. It should be as simple as going to the vmware advanced nat setup and port forward port tcp/3384 to port 3389 on your vm; port forward udp/53 to udp/53 on your vm; and  tcp/53 to tcp/53 on your vm. That will do the port translation for rdp (so there is no conflict with rdp on your host) and it will make the dns server on your vm available on your network.

On your laptop point your dns server configuration to your host machines ip address (the vm ip address isn't relevant as it will be accessed via your host machine port forwarding to the vm). On your laptap create a remote desktop entry for your vm with the ip address of your host machine, a colon ":", then the port 3384. If after your reconfig is done your host has an ip of 192.168.1.10 then the rdp entry will be 192.168.1.10:3384.

Finally - if you really want to use this vm as a domain controller than forget all of that and make the vm use a bridged connection rather than a NAT connection. At that point the vm will pull another DHCP address from your router and be logically on the same network as your host and laptop and usable as a DC.
0
 
johnsarAuthor Commented:
bgoering: thanks. I disabled RAS routing, and the second bridged NIC card and got rid of public ip on the host and port forwarded udp/tcp 53 and 3384 to 3389 on vmware NAT and RDC worked from laptop.

on laptop, i pointed the DNS primary to the host ip which is 192.168.1.66 and then in RDC i did 192.168.1.66:3384 and connected to host.

but insteda of logging in to the host, i logged in to the domain of the Virtual server and it worked.

is it how its supposed to work behind NAT?

also if i setup a FTP server on vmware virtual server and i want to have accounts for other LAN clients to be able to connect to FTP server, then how should i connect to the FTP server?

port forward the tcp port 21 to 21 and to connect to it, i should first connect to host then to vmware ftp server??????
0
 
bgoeringCommented:
Yes that is how it is supposed to work with nat. With ftp forward both tcp/20 and tcp/21 - then the ftp client will connect to the host ip and will be forwarded to ftp server on the vm guest. Note that you will be unable to run a ftp server on the host at the same time - I don't know any way around that. Sounds like you are up and running :)
0
 
johnsarAuthor Commented:
so on the ftp client on laptop, i should put the host ip and connect?

then the host automatically redirect me to the vmware virtual server machine????
0
 
bgoeringCommented:
It works just like the other - forwared 20 and 21 and connect to the host ip... We are getting a bit off topic for this question that was originally about why ping didn't work with NAT and have moved far afield actually into network design and network/router configuration. To explore NAT further I would recommend you close this and open a new question under network design - but you shouldn't need that. If you have some services working (dns and rdp) and are even doing the port translation with rdp, and you understand you can't use nat if you have conflicting services between the host and the vm using the same ports - then I think you have it. If you need to do more in the way of open ports, conflicting ports, or icmp then use bridged networking.

Good Luck
0
 
johnsarAuthor Commented:
ok. i will close this topic and create a new one as i want to learn more.

you can come to my new topic to share your ideas.

:)
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 23
  • 11
  • 8
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now