NFM-P Network Address Translation

Network Address Translation deployment scenarios

NFM-P supports the use of Network Address Translation (NAT) between the following components:

The figure below illustrates a deployment of NFM-P where NAT is used between the NFM-P server and the managed network.

Figure 7-4: NFM-P server deployments with NAT between the server and the managed network
NFM-P server deployments with NAT between the server and the managed network

The following two figures illustrates a deployment of NFM-P where NAT is used between the NFM-P server and the NFM-P clients (GUIs, XML API or client delegate servers). In Figure 7-5, NFM-P server deployment using NAT with IP Address communication, NFM-P clients on the private side and public side of the NAT-Enabled Firewall must connect to the public IP address of the NFM-P server. A routing loopback from the NFM-P server private IP address to the NFM-P server public IP address must be configured in this scenario as all NFM-P clients must communicate to the NFM-P server through the NFM-P server public IP address.

The NFM-P auxiliary will need to be able to connect to the public IP address of the NFM-P server.

Figure 7-5: NFM-P server deployment using NAT with IP Address communication
NFM-P server deployment using NAT with IP Address communication
Figure 7-6: NFM-P server deployment using NAT with name resolution based communication
NFM-P server deployment using NAT with name resolution based communication

In Figure 7-6, NFM-P server deployment using NAT with name resolution based communication, a name resolution service on the public side of the NAT-Enabled Firewall is configured to resolve the NFM-P server hostname to the public IP address of the NFM-P server. Name resolution service on the private side of the NAT-Enabled Firewall is configured to resolve the NFM-P server hostname to the private IP address of the NFM-P server. clients on both sides of the NAT-Enabled Firewall are configured to communicate with the NFM-P server via hostname where the NFM-P server hostname must be the same on both sides of the NAT-Enabled Firewall.

The figure below illustrates a deployment of NFM-P where NAT is used between the NFM-P complex, NFM-P clients, and the managed network.

Figure 7-7: NFM-P deployment with NAT
NFM-P deployment with NAT

For installations using NAT between the NFM-P server and NFM-P client, a reverse DNS look-up mechanism must be used for the client, to allow proper startup.

NAT rules must be in place before NFM-P installation can occur, since the installation scripts will access other systems for configuration purposes.