(Third re-write)
You can do pieces of this.
You can define two virtual switches on your ESXi system. Call one "internal" for the 10.x.x.x stuff and one "external" for the single 98.x.x.x address you have been assigned.
Connect one physical Ethernet port to the "external" vswitch.
Define a firewall VM with two ethernet devices. Attach one to the "external" vswitch, and assign the interface the 98.x.x.x IP you have been given. Attach the firewall VM's second ethernet device to the "internal" switch and give it an IP on the 10.x.x.x subnet. This will end up being the default router for all the other VMs on the box.
Each other VM you create should be added to the "internal" vswitch with a 10.x.x.x subnet, and use the firewall's 10.x.x.x IP as its default router.
Add the ESXi management interface to the "internal" vswitch with a 10.x.x.x subnet, and use the firewall's 10.x.x.x IP as its default router.
Configure the firewall to NAT traffic from internal to external. This will permit the internal VMs to talk to the internet.
Now at this point, the internet cannot talk back to them (ie if you had a web server on the 10.x.x.x subnet) because the internet doesn't know anything about your 10.x.x.x subnet and so packets never make it to your internal VMs. Besides, you probably have the firewall configured to drop said packets even if they did make it to your system. So you cannot "route" to your VMs over the internet.
So you probably want to do one or both of the following:
- Set up one or more port forwards on the external interface of the firewall VM to pass inbound traffic back to a particular VM. So for example you'd port-forward port 80 on your firewall's external interface back to your webserver VM, and port-forward port 981 (maybe? might be something else, check your manual) back to the management interface on your ESXi server.
and/or
- Set up a VPN from wherever you are back to the firewall VM, and route traffic across that directly to the "internal" network.
For setup purposes, if you have two physical interfaces, you can add the second physical interface to the "internal" vswitch. This will mean if you do have physical access to the system, you can plug a laptop (via a crossover cable, probably) directly into the "internal" network and configure things directly. This will also give you emergency access should the firewall VM die for some reason.
What device is that actually presents your single public IP? if it's a router then you can either move the ESXi's management ports from 80/443/902/903 to something else or advertise your own service to a non port 80/443/902/903 block and let the router just NAT them. If it's your actual ESXi box that's running the IP then you're out of luck, its management interface will own the IP and won't allow guest traffic over it - although it will happily share a single NIC - that's how the router/NAT method works. You could always buy more public IPs of course.
Best Answer
ESXi 5.1 and vSphere are synonomous. They are the same thing. I prefer to call it vSphere since that's what VMware calls it.
Create a new vSwitch for the internal VM's. Do not bind this vSwitch to a physical NIC.
Connect the internal VM's to this internal vSwitch.
Add a new vNIC to each external VM and connect it to the "internal" vSwitch.
Configure the internal vNIC appropriately on each VM so that they're all on the same internal subnet (whatever RFC1918 address range you choose to use).
Now each external VM is multihomed and will have a connection to both the external and the internal network and should be able to communicate on the internet as well as to the internal VM's.
Of course, this is just one of the possible ways to do this.