Host-to-security gateway scenario
Figure 1 shows both the security gateway and the host behind a NAT. z/OS® also supports acting in responder mode when only one endpoint (either the security gateway or the z/OS host) is behind a NAT. When there is a NAT device in front of the z/OS host (acting as responder), the address mapping of the NAT must be static. If there is a NAT device in front of the security gateway, the address mapping of the NAT can be static or dynamic. A dynamic mapping can use either one-to-one address translation or many-to-one address port translation (NAPT).
Figure 1 shows the clients and the security gateway as separate devices. However, whenever a Security Association is negotiated to protect something other than a single IP address (for example, a range of IP addresses), that IKE daemon negotiating the Security Association is acting as a security gateway.
When the security gateway is behind a NAT, the individual hosts behind the NAT cannot be distinguished. If only one NAT address is available, all Security Associations negotiated between the security gateway (GW) and z/OS are negotiated using the NAT address, and have the same security characteristics. If multiple security characteristics are required to protect the traffic behind the security gateway, more NAT addresses are needed so that z/OS can locate different policies based on the NAT address.