When the remote peer is a security gateway behind a NAT, the remote data endpoint of the client is represented by the security gateway's public IP address. From the z/OS® server's perspective, multiple clients that are behind the security gateway are all identified by the IP address of their corresponding security gateway, not the client's private IP address. Consequently, if two clients behind the security gateway were to open a connection to the same service (FTP, for example) from the same ephemeral port (1024, for example), the two connections could not be uniquely identified.
Similarly, when the remote peer is a host behind a NAPT, the remote data endpoint of the host is represented by the public address assigned by the NAPT. Typically, multiple hosts that are behind the NAPT are all assigned the same public IP address, with port translation distinguishing the hosts. The port that is being translated by the NAPT is the port found in the UDP header of the IKE packet and the UDP-encapsulated ESP packet, not the connection port. Consequently, if two hosts behind the NAPT open a connection to the same service (FTP, for example) from the same ephemeral connection port (1024, for example), the two connections cannot be uniquely identified.
Traditionally, the combination of local and remote IP addresses and ports is enough to distinguish the connections; in these instances, because the connection requests appear to be coming from the same IP address, they look identical. To avoid such conflicts, Communications Server provides remote port translation for TCP and UDP connections when needed. Without remote port translation, the first inbound TCP connection request for a unique 5-tuple would succeed. However, a subsequent inbound connection request using the same 5-tuple would fail. Communications Server's remote port translation allows subsequent inbound connections using the same 5-tuple to succeed by translating the remote port value to a different ephemeral port.
Remote port translation does not need to be configured or enabled. It is built into Communications Server's NAT traversal support and is always in effect when the remote peer is behind a NAT. When a remote port is translated, message EZD0827I, remote port translated, is logged. Remote port translation determines whether the source port in an inbound packet represents a duplicate port. If it does, an attempt is made to assign an unused ephemeral port value. If the inbound packet matches a configured filter rule that covers all ports, any unused ephemeral port value can be assigned. If the configured filter rule applies only to a range of ports, the remote port is translated only to an unused ephemeral port in that range. If an unused port cannot be found, the connection request fails. When a remote port value is translated, there is both an original remote port and translated remote port for a connection. Various commands, such as Netstat, enable you to view connection information including the port, or even to select display data based on port. For connection data, if only one remote port is being provided, the translated port is displayed or used for a selection, if remote port translation has been done.
The ipsec -o display command provides a display of port mappings in effect. For a sample display of remote port translation, see Displaying remote port translation with the ipsec command.