The implementation of Enterprise Extender (EE) requires that the
EE connection endpoints be defined by unique static VIPA addresses.
NAT functions are limited in the EE environment as follows:
- The NAT mapping must be a one-to-one address mapping. NAPT is
not supported.
- Dynamic mappings are generally unreliable for an EE connection.
A static mapping of internal IP address to external IP address should
be defined when an EE endpoint is behind a NAT.
- When IPSec protection is added for EE traffic that traverses a
NAT, only one host that is behind a security gateway that is behind
a NAT will be able to send EE traffic. In most cases, EE hosts should
not be located behind a security gateway that is behind a NAT. Instead,
a host-to-host Security Association should be negotiated for each
EE host.