No announcement yet.

Route to Different Subnet

  • Filter
  • Time
  • Show
Clear All
new posts

  • Route to Different Subnet

    Hi There,

    We have our ESXi 6.0 host behind our ASA 5505 firewall.

    In one switch port of the firewall we have a /28 IPs going to it and another /29 Ips in another.

    In one port we have a DMZ setup on it to assign VMs for public access. These VMs have a public IP and using the gateway of the DMZ interface on the ASA firewall.

    The other switch port we have our other set of IPs going to our internal VMs all which have private IP and our ASA firewall using NAT.

    What we need to do is (i think ) is set up a static route one the ESXi host so that the VMs using public IPs can exit the ESXi host and go out via a specific IP which happens to be the DMZ interface. Currently now how we have it set up no traffic can exit our public VMs as it dows not know where to go. Can someone tell us if we need a static route or something else. We have two physical NICs so we can dedicate one to our public VMs.

  • #2
    Can you draw a network diagram and post that?

    Network Consultant/Engineer
    Baltimore - Washington area and beyond


    • #3
      ESXi isn't a router and has no ability to route traffic. That being said, it isn't clear to me exactly what you're trying to accomplish. Could you elaborate?


      • #4
        Hi there guys.
        Thank you for the response. I have attached a diagram. I hope it makes sense. What I want to do is separate a VM from my internal VMs and assign these VMs a public ip address so anyone using this VM can manage their own firewall. I was hoping to use the DMZ interface on the ASA firewall as my 69 ip range only routes into the DMZ interface. Presentation1.pdf


        • #5
          I should add that in the firewall logs on the ASA traffic can enter the DMZ interface but is blocked by an implicit rule which is fine..However, when I add the correct rules the VPS VM using the DMZ interface with a public ip, it does not have internet access....nothing can go out...I think it is a routing issue to do with the ESXi as the public IPs cannot route to the default gateway on the ESXi which is an internal IP


          • #6
            By that diagram you have a dedicated NIC for the 69 addresses, which I presume is the one you want to manage?

            Create a new vSwitch and assign the NIC that is on the DMZ connection to that vSwitch. That should get you sorted.


            • #7
              I have tried that before but you cannot have more than one gateway on ESXi host. Therefore the traffic on the 69 address does not know where to go


              • #8
                WHat we have is the addresses 69 IP go from tthe switch to the DMZ interface on our ASA firewall so in order to do what you said we would have to bypass the ASA and connected the Physical NIC from the ESXi host directly into the switch which routes our 69 address traffic...Bypassing the firewall is not a good idea is it? Even though we want traffic on that NIC managed by VMs that will be using iptables.

                We are at a complete loss as I how to get this working. We thought about creating a static route in the ESXi and then we could assign a public 69 address to the physical NIC and with a static route then route the traffic via the DMZ interface.

                Does anyone have any suggestions on how to get this working so we can assign public IPs to our VPS VMs so people can manage their own firewall via iptables??


                • #9
                  I'm not sure how your networking is setup now. You mention 2 NICs and that you can dedicate one for your DMZ.

                  Configure the vSwitch then assign the NIC that is dedicated for the public VM's and you will be done.