Greetings

I have an ESXi host that sits behind an ASA. For several servers on this host, I wish to expose them to the outside via NAT with a public pool of IP addresses and control access via ACL. The ESXi host is attached to a 3850 stack that's using L3 services, and the ASA is connected to the aforementioned 3850 stack. The following image illustrates the base topology, and outlines connections and VLANs where applicable:

The ASA has 1:1 Static NAT for select hosts on the ESXi server (it's undesirable in this design to perform dynamic subnet NAT for a few reasons) and accompanying ACLs (excerpts of these can be posted if necessary). The design works as intended, however, there seems to be a flaw - perhaps - that I've overlooked, hence my problem.

The NAT only works if the servers in question have their gateway assigned to 172.16.102.1, which is the inside interface on the ASA for the servers. If the gateway is set to 172.16.102.3 - the interface on the 3850 stack - the NAT fails. This is in spite of the fact that VLAN tagging is correct, and that from the ASA on the outside and inside interfaces, I can access the servers on the 401 VLAN. My thought is that I've either grossly misunderstood something about gateway IP addresses, as embarrassing as that sounds, or there's something else afoot that I haven't considered. I should also add too that there's a reason for the servers to not want to have their gateway be the ASA, and that's because there's a handful of traffic types that the ASA shouldn't see that the servers should. The objective here would be to have the servers retain the 172.16.102.3 gateway and still have NAT performed for external access. I'm willing to accept, however, that this is a rather untenable solution and would have to think of another way to approach this.

Any advice here would be greatly appreciated.