VMware Cloud Community
upgrayyyedout
Contributor
Contributor
‎05-17-2012 01:36 PM

VM in DMZ fails to NAT

Or I fail at life, you tell me. Here's the scenario.

Short version: VM and host are in the DMZ. Host has 2 NICs connected to DMZ pswitch (management and VM port group). DMZ pswitch is connected to a firewall. Created rules on the fw to create static NAT for VM, and allow it DNS and HTTP access to the WWW (also ICMP for testing, this will be disabled later).

Here's the problem. From the VM, I can't do nslookup or ping. Both time out. I can see in the FW log that the traffic is hitting the FW and allowed out. It just can't find it's way back. Strangely enough, when I ping the external address of the VM, it is NAT'd inbound, and the ping returns to my PC.

Is there something I have to do beyond what I would do to add a physical machine to the DMZ?

Example diagram:

http://i.imgur.com/H7DWj.png

Reply
0 Kudos
3 Replies
marcelo_soares
Champion
Champion
‎05-17-2012 05:41 PM

Your firewall/NAT is an OS or an appliance dedicted to it (wanting to know if you are using iptables which I am used to)?

Can you do the same test from within the ESX to check if the 100 IP have the same behavior? I really think this is not VMware related (it should not) so maybe some configuration on the NAT is missing...

Marcelo Soares
Reply
peterdabr
Hot Shot
Hot Shot
‎05-17-2012 07:22 PM

Hi,

It doesn't look to be VMware related issue at all. If you don't see return traffic on the firewall for VM sending out nslookup/ping  then it is either misconfigured firewall rules  or  path back for return traffic is different (for intance 8.0.0.x network is announced somewhere else) and it is blocked on another devic, not even reaching your firewall (less likely, though I've seen it before)...  Also, unless your firewall can do BGP sessions, there has to be another routing device in front of the firewall. Can you look for return traffic there?

Also, I find it very useful  to run tcpdump (if linux) or wireshark/ms network monitor (if windows) when troubleshooting network related problems; I suggest you run it simulatenously on VM1 while sniffing the traffic higher up in the network.

Peter D.

Reply
upgrayyyedout
Contributor
Contributor
‎05-18-2012 11:10 AM

Thanks for chiming in guys. Made me take a more thorough look at the firewall. I hadn't added the IP of the VM to local.arp (It's a checkpoint FW)

Reply
0 Kudos