Situations where contact addresses are needed

An example of a situation in which Contact Addresses are needed.

In this illustration, there are several remote firewalls that are managed through Management and Log Servers at a central site. NAT is typically applied at the following points:

The central site firewall or an external router can provide the SMC servers external IP addresses on the Internet. The external addresses must be defined as Contact Addresses so that the remote firewalls can contact the servers across the Internet.
The central firewall’s IP address can be translated by an external router. The external IP address must be defined as a Contact Address to allow VPN connections from the remote firewalls to the central site using that address.
NAT can also be applied at the remote sites (by external equipment) to translate the remote firewalls’ IP address. In this case, you must define Contact Addresses for the remote firewalls so that the Management Server can contact them. The communications between the remote firewalls and the Management Server can also be reversed, so that the remote firewalls open the connections to the Management Server and maintain the connections open while waiting for commands.

When Contact Addresses are needed, a single Location to group all remote sites might be enough. The SMC servers’ and the central firewall's definitions must include a Contact Address for the “Remote Firewalls” Location. However, if VPN communications between firewalls from different remote sites are allowed, it is necessary to create a Location for each remote firewall and to add further Contact Addresses for the firewalls.