Enterprise Extender considerations when traversing a NAT
The implementation of Enterprise Extender (EE) requires that the EE connection endpoints be defined by unique static VIPA addresses. NAT functions are limited in the EE environment as follows:
- The NAT mapping must be a one-to-one address mapping. NAPT is not supported.
- Dynamic mappings are generally unreliable for an EE connection. A static mapping of internal IP address to external IP address should be defined when an EE endpoint is behind a NAT.
- When IPSec protection is added for EE traffic that traverses a NAT, only one host that is behind a security gateway that is behind a NAT will be able to send EE traffic. In most cases, EE hosts should not be located behind a security gateway that is behind a NAT. Instead, a host-to-host Security Association should be negotiated for each EE host.