VMware Networking Community
niceguy001
Enthusiast
Enthusiast
‎06-20-2017 02:58 AM
Jump to solution

SNAT and DNAT not working on Edge router?

I've stuck on a problem of setting up NAT for a network directly connect to the ESG.

It should be simple but I have no idea where the bug is...

the configuration is below:

0. the outside network (10.101.6.0/24) works just fine, and also used by the hosts

1. one ESG with uplink-interface ip 10.101.6.25(and secondary 10.101.6.26), is connected to vDS portgroup properly

2. the vNIC on ESG has interface 192.168.1.1, and connected to a logical switch

3. a test VM using that logical switch as network interface and setup static ip 192.168.1.2/24

the configuration of the SNAT on ESG is below:

applied on the (only) uplink-interface; original source ip/range set to 192.168.1.0/24; translated source ip/range set to 10.101.6.26

the configuration of the DNAT on ESG is below:

applied on the same uplink-interface; original destination ip/range is 10.101.6.25; translated ip/range is 192.168.1.2

additionally, i configured all the ESG firewall enabled, and rules are all accept

the test vm just couldn't reach outside anyway, even cannot ping the default gateway 192.168.1.1

did i misunderstand any knowledge or configurations?

thanks for any reply~!

Tags (4)
Reply
0 Kudos
1 Solution

Accepted Solutions
Sreec
VMware Employee
VMware Employee
‎06-20-2017 03:51 AM
Jump to solution

Keeping your NAT aside - your main problem is VM to gateway connectivity .

> Can you check VM & ESG  - Routing table - you should see 192.168.1.0/24 as directly connected networks

> Firewall/IPtables etc @ Guest Level

> ESG to VM connectivity is fine ?

> Are they running on two different ESXI servers ? - If possible migrate them to same server and do a test  to rule out possible uplink/policy issues etc etc ...

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

View solution in original post

Reply
0 Kudos
7 Replies
Sreec
VMware Employee
VMware Employee
‎06-20-2017 03:51 AM
Jump to solution

Keeping your NAT aside - your main problem is VM to gateway connectivity .

> Can you check VM & ESG  - Routing table - you should see 192.168.1.0/24 as directly connected networks

> Firewall/IPtables etc @ Guest Level

> ESG to VM connectivity is fine ?

> Are they running on two different ESXI servers ? - If possible migrate them to same server and do a test  to rule out possible uplink/policy issues etc etc ...

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
niceguy001
Enthusiast
Enthusiast
‎06-20-2017 07:08 PM
Jump to solution

hi Sreec,

your reply is very much appreciated!

but i just discovered that i confused myself;

the configurations were all ok...

cause i just double checked the test VM to ping the gateway 192.168.1.1 and both 10.101.6.25, 10.101.6.26 without a problem.

the pings all replied normally, which achieved my initial expectation.

the final problem is that the VM couldn't reach 8.8.8.8, unable to touch the internet.

(the 10.101.6.0/24 was designed as public ip)

i believe the static route and next hop do not need to configure, neither do the DHCP

the "route redistribution table" didn't help too.

any ideas?

thanks for the reply again!

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee
‎06-20-2017 08:05 PM
Jump to solution

Good to hear that Smiley Happy . Can ESG reach internet ?

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
niceguy001
Enthusiast
Enthusiast
‎06-20-2017 10:51 PM
Jump to solution

yes, the ESG can reach the internet.

i logged in to the edge and ping 8.8.4.4 and 208.67.222.222, they all replied.

the edge router can also ping the 10.101.6.0/24(designed as public ip and used by hosts) of course.

and now i turned off the edge firewall and VM firewall, didn't help at all.

this is weird...

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee
‎06-20-2017 11:13 PM
Jump to solution

VM-ESG and ESG to External connectivity is fine as per your findings. Looks like a NAT issue. What is the reason for using two IP for SNAT/DNAT rule ? Can you write a rule like below ?

1. SNAT and DNAT with one external IP of ESG

2. Run a traceroute from VM to whatever external IP you want to check

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
niceguy001
Enthusiast
Enthusiast
‎06-22-2017 02:32 AM
Jump to solution

Alright, i solved this question.

i double checked the NAT settings on ESG and deleted the DNAT, which i actually don't need.

there might be something wrong with the network, and i later found the VM could ping to the 8.8.8.8 .

weird but it was supposed to be like this.

the last problem that disappointed me was the test VM can ping the internet but couldn't browse the website!

after several troubleshootings, the reason why VM can ping to the internet but not browsing...

was caused by different hosts the VM and ESG located at.

I vMotioned the VM to the ESG resided host and therefore solved the browsing problem on VM.

despite further debugs might need to be done..

it's kind of like MTU and VXLAN problems. I forgot to check the MTU setting on physical networks.

My GOAL was  connecting a test VM to a logical switch and  ESG then try the networking from VM to internet.

anyway, Sreec, i really appreciate your kind help. you are a patient expert!

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee
‎06-22-2017 03:36 AM
Jump to solution

Good to hear that & happy to help anyime Smiley Happy

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos