Contact addresses, Location elements, and NAT

Contact Addresses represent the translated address of a component. Location elements group components together, so that there is no NAT between them.

The Contact Address represents the translated address of a component. Contact Addresses are defined for each Location element. The Location element is a way to group components together, in effect telling them that there is no NAT device between them.

The SMC components on each side of a NAT device are grouped into two separate Location elements (if necessary, more Location elements can be used). The Contact Address is defined in each element’s properties for the other Location. When contacting some other component in their own Location, the components always use the untranslated address. When contacting some component outside their own Location, the contacting component checks if the other component has a Contact Address defined for the contacting element’s Location. If it finds one, it uses the Contact Address. If there is no Location-specific Contact Address defined, the contacting component checks if the element has a Default Contact Address that components belonging to any other Location use for contacting the element. If the element does not have a Default Contact Address, the connection is attempted using the element’s untranslated address.

For example, when a Management Server contacts a firewall node through NAT, the Management Server uses the translated Contact Address instead of the firewall node’s real Control IP address. The NAT device in between translates the NAT address to the firewall’s real IP address as usual.

We recommend dividing elements into different Locations based on NAT and the communications the components have, and not just based on actual physical sites. For example, you might have one central site and several remote sites, and the system communications take place only from each remote site to the central site (not between the remote sites). In this case only two Locations are needed no matter how many of the firewalls use a translated address.
Note: If NAT is performed between a Log Server and a Management Client, you might need to select the correct Location for the Management Client as well.