Host-to-security gateway scenario

Figure 1 shows both the security gateway and the host behind a NAT. z/OS® also supports acting in responder mode when only one endpoint (either the security gateway or the z/OS host) is behind a NAT. When there is a NAT device in front of the z/OS host (acting as responder), the address mapping of the NAT must be static. If there is a NAT device in front of the security gateway, the address mapping of the NAT can be static or dynamic. A dynamic mapping can use either one-to-one address translation or many-to-one address port translation (NAPT).

Figure 1. z/OS in a host-to-security gateway configuration

Shows a z/OS host behind a NAT, and a security gateway behind a NAT.

Rule: The z/OS host is limited to acting in responder mode in a host-to-security gateway configuration when a NAT is traversed. The phase 2 Security Association negotiation must be initiated by the security gateway. Data must be initiated by the client behind the security gateway.

Figure 1 shows the clients and the security gateway as separate devices. However, whenever a Security Association is negotiated to protect something other than a single IP address (for example, a range of IP addresses), that IKE daemon negotiating the Security Association is acting as a security gateway.

When the security gateway is behind a NAT, the individual hosts behind the NAT cannot be distinguished. If only one NAT address is available, all Security Associations negotiated between the security gateway (GW) and z/OS are negotiated using the NAT address, and have the same security characteristics. If multiple security characteristics are required to protect the traffic behind the security gateway, more NAT addresses are needed so that z/OS can locate different policies based on the NAT address.