ok I can ping it now and here is my setup

how do I let me web/app/db tier access the outside world? From the web/app/db tiers I can ping the .2 address

I think in this design there is no DLR as the Logical Switches are connected to the ESG Edge. For connecting to the outside world for example the VMs on the Web-Tier LS. There are 2 possibilities.

Also the gateway of the VMs should point to this Edge, gateway should be 192.168.10.2 for Web VMs. Since it is pingable, and if there is a default gateway of this Edge Pointing to Physical FW then:

1- NAT on the Edge (FW should also be enabled, NAT should be applied on outside Uplink Interface)

Web VM e.g. 192.168.10.11 could be NATed to 10.50.1.x or 10.50.1.97. If this is done, then o the outside FW 10.50.1.x should also be  NATed to a real IP address This has the Advantage that the same IP Blocks could be used for other environments such as Test and Development. Also rules on the Edge and dFW should allow for this connection.

For Outside --> Web VM  direction DNAT is needed

From Web VM --> Outside direction SNAT is needed.

2- NAT on the Physical Firewall

192.168.10.11 could be nated only on the Physical FW, if this is done same IP Blocks may not be used on other Edges.

For more detail on the NSX NAT Configuration the following articles may be helpful:

http://www.routetocloud.com/2014/12/nsx-v-edge-nat/

http://blog.bertello.org/2015/06/08/nsx-for-newbies-part-10-network-address-translation-nat-configur...

hi here is my dlr

DLR is attached to the ESG via the transit network. Do I still need nat or can I create a default route 0.0.0.0 on each subnet to the ESG IP?

ok I have deployed nsx edge and connected it to my dlr

I also added static default route to go out

also static route to come back in to both web and app tiers

I guess now my issue is with the upstream physical router needs to know how to get to the web/app tiers. Dont have access to that and dont know if I can continue as this requires access to the L3 router/switch.

I believe you still can continue. As cnrz has mentioned, use NAT.

1. Make sure the firewall rules on ESG and DFW are allowing the test traffic (ICMP).

    Do not disable Firewall on ESG, instead, modify the firewall rules to Accept. 

2. Make sure the IP address that you assigned to "Edge Uplink" (10.50.0.5) is an valid IP address in that segment.

3. Make sure the ESG can ping your L3 router/switch (directly connected).

4. Make sure the ESG can ping your DLR (Transit segment).

5. Configure SNAT on your ESG, for example to translate Web Tier's IP Subnet to an IP address in that "Edge Uplink" segment.

6. Ping from Web Tier to your L3 router/switch.

Regards,

yantothen

blog.ipcraft.net

I am not abkel to ping my L3 router IP 10.50.0.5. here are my nat rules. Cant ping from the physical network to 10.50.1.199 either

here are the firewall rules. they are the auto generated rules. i  did not add any

Btw:

- Have you checked the DFW rules as well?

- Can Web Tier ping to the ESG's transit IP that connects to DLR?

Regards,

yantothen

blog.ipcraft.net

yes it can. web tier can ping to the internal interface of the ESG. do I need to setup a firewall rule?

from my physical 10.50.x.x vlan,

from a machine 10.50.1.37

I added a static route to the web tier

route add 192.168.10.0 mask 255.255.255.0 10.50.1.197 metric 2

then from that vm, I was able to ping the web server 192.168.10.10

but I cannot ping 10.50.1.37 from the web server.

any idea why?

not sure why I cannot ping my L3 gateway ip 10.50.0.5 from the web tier.

From the ESG, I can ping it

It seems that your NAT are not working yet.

Btw, have you added the translated IP address (10.50.1.199) as an secondary IP address of the ESG's Edge Uplink interface?

Regards,

yantothen

blog.ipcraft.net

yes i did

and for the NAT rules

NAT config looks good..

Please make sure the DLR also has the routing to go out to the physical network (10.50.0.0/16)

Also make sure DFW firewall rules are allowing the test traffic.

this is from the dlr. Default route is going to the ESG

this is from the esg

hi

here is my topology. I dont know why NAt does not work

ok not sure what happened but finally got nat working. from my web tier I was able to ping public IPs.

I didnt put the secondary IP address in there. I only specified the NAT IP under NAT rules.