Usando NAT entre un vCenter Server y un ESXi host

Tuve el choclo de agregar un ESXi host a un vCenter.

El ESXi host estaba detras de un firewall ademas de habilitarle los puertos a 902 903 TCP y UDP, 403 TCP . Tuve que realizar una serie de modificaciones.

Que en la KB de VMware esta:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1010652

Details

Each time you add an ESXi/ESX host to vCenter Server, the IP address of vCenter Server is recorded on the ESXi/ESX host. If the host is behind a NAT and the vCenter Server is on a different network (and thus the address is not accessible due to the NAT), the host disconnects from vCenter Server after about a minute.

For example, the vCenter Server system might be on the main network (10.10.10.0), and a few of the ESXi/ESX hosts might be behind a firewall in the 192.168.5.x network. The hosts cannot reach the main network and thus become disconnected from vCenter Server.

Solution

Using NAT between the vCenter Server system and ESXi/ESX hosts is an unsupported configuration. For more information on network requirements, see the Network Prerequisites section under the Prerequisites for Installing vCenter Single Sign-On, Inventory Service, and vCenter Server section in the vSphere Installation and Setup guide.

Workaround

Note: This workaround is provided to aid customers in complex environments. It is an unsupported configuration. VMware will only provide best effort support for this configuration.

As a workaround, for each ESXi/ESX host you can specify a reachable address that the host can use to communicate back to vCenter Server. In this case, the reachable address is the NAT address, which you configure to redirect the communication back to vCenter Server.

To configure the IP address to use, you can use two settings named serverIP and preserveServerIp. With these settings, you can statically set an IP address, which the ESXi/ESX host will use to communicate back to the vCenter Server.

Note: For ESX 3.5 and VirtualCenter 2.5, Update 3 supports this solution. Install Update 3 before implementing this solution.

1. Make sure the NAT device is configured to redirect UDP traffic on port 902 to the vCenter Server.
2. Add the ESXi/ESX host to the vCenter Server inventory.
   
   Note: This causes the vCenter agent (vpxa) service to be installed on the host.
   
3. Log into the ESXi/ESX host as root.
4. Navigate to the /etc/opt/vmware/vpxa/ directory in the ESXi/ESX file system.
   
   Note: In ESXi 5.x, navigate to /etc/vmware/vpxa.
   
5. Open the vpxa.cfg file in a text editor.
6. In the file, change the serverIp setting and add the preserveServerIp setting. For the serverIP tag, enter the NAT IP address. For example:
   
   <config>
   <vpxa>
      ...
      <serverIp>NAT_IP_address</serverIP>
      <preserveServerIp>true</preserveServerIp>
   </vpxa>
   ...
</config>
   
7. Save the changes and close the file.
8. Restart the vCenter agent service by running this command in the ESXi/ESX service console/SSH session:
   
   For ESX:
   
   # service vmware-vpxa restart
   
   For ESXi:
   
   # services.sh restart
   
9. Reconnect the ESXi/ESX host.

Note: Consider this scenario: The ESXi/ESX host and the vCenter Server are behind different NATs, the main subnet is 10.10.10.0, the ESXi/ESX host is behind a firewall in the 192.168.5.x network, and the vCenter Server is behind a firewall in the 172.18.20.x network. If you have the underlying network configured so that the 172.x network knows where to direct traffic from the 192.x network, the configuration might work. However, the general use case for this article is not a double NAT.

Le pusimos estas IP:

<serverIp>192.168.24.2</serverIp>
    <preserveServerIp>true</preserveServerIp>

services.sh restart