NFM-P Network Address Translation
Network Address Translation deployment scenarios
NFM-P supports the use of Network Address Translation (NAT) between the following components:
The figure below illustrates a deployment of NFM-P where NAT is used between the NFM-P server and the managed network.
Figure 7-4: NFM-P server deployments with NAT between the server and the managed network
The following two figures illustrates a deployment of NFM-P where NAT is used between the NFM-P server and the NFM-P clients (GUIs, XML API or client delegate servers). In Figure 7-5, NFM-P server deployment using NAT with IP Address communication, NFM-P clients on the private side and public side of the NAT-Enabled Firewall must connect to the public IP address of the NFM-P server. A routing loopback from the NFM-P server private IP address to the NFM-P server public IP address must be configured in this scenario as all NFM-P clients must communicate to the NFM-P server through the NFM-P server public IP address.
The NFM-P auxiliary will need to be able to connect to the public IP address of the NFM-P server.
Figure 7-5: NFM-P server deployment using NAT with IP Address communication
Figure 7-6: NFM-P server deployment using NAT with name resolution based communication
In Figure 7-6, NFM-P server deployment using NAT with name resolution based communication, a name resolution service on the public side of the NAT-Enabled Firewall is configured to resolve the NFM-P server hostname to the public IP address of the NFM-P server. Name resolution service on the private side of the NAT-Enabled Firewall is configured to resolve the NFM-P server hostname to the private IP address of the NFM-P server. clients on both sides of the NAT-Enabled Firewall are configured to communicate with the NFM-P server via hostname where the NFM-P server hostname must be the same on both sides of the NAT-Enabled Firewall.
The figure below illustrates a deployment of NFM-P where NAT is used between the NFM-P complex, NFM-P clients, and the managed network.
Figure 7-7: NFM-P deployment with NAT
For installations using NAT between the NFM-P server and NFM-P client, a reverse DNS look-up mechanism must be used for the client, to allow proper startup.
NAT rules must be in place before NFM-P installation can occur, since the installation scripts will access other systems for configuration purposes.