NAT-Enabled Networks
Network address translation (NAT) converts an IP address in one network to a different IP address in another network. NAT provides increased security for your JSA deployment because requests are managed through the conversion process and internal IP addresses are hidden. With NAT, computers that are located on a private, internal network are converted through a network device, typically a firewall, and can communicate to the public Internet through that network. Use NAT to map individual internal IP addresses to individual external IP addresses.
JSA NAT configuration requires static NAT translation and allows only one public IP address per managed host.
Any JSA host that is not in the same NAT group with its peer, or is in a different NAT group, is configured to use the public IP address of that host to reach it. For example, when you configure a public IP address on the JSA console, any host that is in the same NAT group uses the private IP address of the JSA console to communicate. Any managed host that is in a different NAT group uses the public IP address of the JSA console to communicate.
If you have a host in one of these NAT group locations that does not require external conversion, enter the private IP address in both the Private IP and Public IP fields. Systems in remote locations with a different NAT group than the console still require an external IP address and NAT, because they need to be able to establish connections to the console. Only hosts that are located in the same NAT group as the console can use the same public and private IP addresses.
Configuring a NAT Group
Configure a Network Address Translation (NAT) group to limit the number of public IP addresses that are required for your JSA managed hosts to communicate with the Internet.
Ensure that the NAT-enabled network is using static NAT translation.
It is important to complete the NAT configuration for each managed host in your deployment before you deploy the changes. After deployment, managed hosts that aren't NAT-enabled might not be able to communicate with the JSA Console.
JSA can support multiple NAT networks when the public IP address for the JSA Console is the same in each network.
To configure a NAT group:
On the navigation menu (), click Admin.
In the System Configuration section, click System and License Management.
In the Display list, select Systems.
To configure a NAT group for the JSA Console, follow these steps:
Select the JSA Console appliance in the host table.
On the Deployment Actions menu, click Edit Host.
Select the Network Address Translation check box.
In the NAT Group list, select the NAT group that the console belongs to, or click the settings icon ( ) to create a new NAT group.
In the Public IP field, type the public IP address for the console, and then click Save.
Configure each managed host in the same network to use the same NAT group as the JSA Console.
Select the managed host appliance in the host table.
On the Deployment Actions menu, click Edit Host.
Select the Network Address Translation check box.
In the NAT Group list, select the NAT group that the JSA Console belongs to.
In the Public IP field, type the public IP address for the managed host.
Note:Unless an event collector is connecting to a managed host that uses NAT, configure the managed host to use the same the public IP address and the private IP address.
Click Save.
On the Admin tab menu, click Advanced > Deploy Full Configuration.
JSA continues to collect events when you deploy the full configuration. When the event collection service must restart, JSA does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.
To fix communication issues between the JSA Console and hosts that are not NAT-enabled after deployment, edit the iptables rules for the managed host to configure the local firewall to allow the JSA Console to access the managed host.
Changing the NAT Status for a Managed Host
Configure a managed host to use network address translation (NAT) to ensure that it can communicate with the JSA Console and other managed hosts in the same network.
Ensure that the NAT-enabled network is using static NAT translation.
The JSA Console and all managed hosts in the same network must be members of the same NAT group.
To change the NAT status for a managed host, make sure that you update the managed host configuration within JSA before you update the device. Updating the configuration first prevents the host from becoming unreachable, and ensures that you can continue to deploy changes to that host.
To change the NAT status for a managed host:
On the navigation menu (), click Admin.
In the System Configuration section, click System and License Management.
In the Display list, select Systems.
Select the host in the host table, and on the Deployment Actions menu, click Edit Host.
To disable NAT, clear the Network Address Translation check box.
To enable NAT, follow these steps:
Select the Network Address Translation check box.
From the NAT Group list, select the group that the managed host belongs to.
In the Public IP field, type the public IP address that the managed host uses to communicate with other hosts in a different NAT group.
Click Save.
On the Admin tab menu, click Advanced > Deploy Full Configuration.
JSA continues to collect events when you deploy the full configuration. When the event collection service must restart, JSA does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.
If you enabled NAT, you might have to update the firewall configuration for the managed host that you want to communicate with.