Figure 1 shows a NAT in front of the z/OS® host and the non-z/OS host. A configuration with a NAT in front of only one of the hosts is supported as well. If there is a NAT device in front of the responder, the NAT's address mapping must be static. If there is a NAT device in front of the initiator, the NAT's address mapping can be static or dynamic. A dynamic mapping can use either one-to-one address translation or many-to-one address port translation (NAPT).
Figure 1. z/OS host
to non-z/OS host, double NAT
Either UDP-encapsulated transport mode or UDP-encapsulated tunnel mode can be negotiated in a z/OS host-to-non-z/OS host configuration.
Rule: The z/OS host
is limited to acting in responder mode when the remote endpoint is
behind a NAPT. The negotiation of the phase 1 and phase 2 Security
Associations must be initiated by the client behind the NAPT. Data
must be initiated by the client behind the NAPT.