The main problem with Zephyr through a NAT is that the local address of the client is encoded in many of the outgoing packets. This wouldn't be so bad in straight Zephyr, as the NAT could rewrite packets, but in Kerberized (V4) Zephyr the local IP is also integrity protected.
The solution is to insert a stub library with LD_PRELOAD that intercepts calls to getsockname(2), which is the syscall used by both krb524init and libzephyr to determine the local address. This approach gets the internal IP substituted before it gets integrity protected by Kerberos.
Source code for the library is available here. It was inspired by tibind.c by nathan at 0x00 dot org and is in the public domain. You must run both krb524init and your zephyr client with this library in place. zhm does not need munging.
Use like so:
gcc -fPIC -shared -o munge_getsockname.so munge_getsockname.c -ldl kinit -A env LD_PRELOAD=./munge_getsockname.so FROMIP=10.1.2.3 TOIP=126.96.36.199 krb524init env LD_PRELOAD=./munge_getsockname.so FROMIP=10.1.2.3 TOIP=188.8.131.52 owl
Another problem with Zephyr is that your client may have only talked to a subset of the zephyr servers when any zephyr server sends a UDP packet to the client. This fails because the NAT box does not have an association between the client and the hitherto unknown zephyr server.
The easiest solution is to hardcode the NAT to forward all packets from the zephyr servers in question to the client. Of course, this will be different depending on the NAT in question, but here is an example from a Linux iptables NAT:
iptables -t nat -A PREROUTING -p udp -i eth0 -d 184.108.40.206 -s 220.127.116.11 -j DNAT --to 10.1.2.3 iptables -t nat -A PREROUTING -p udp -i eth0 -d 18.104.22.168 -s 22.214.171.124 -j DNAT --to 10.1.2.3 iptables -t nat -A PREROUTING -p udp -i eth0 -d 126.96.36.199 -s 188.8.131.52 -j DNAT --to 10.1.2.3
This has the obvious disadvantage of only allowing one client behind the NAT to use zephyr. In theory, it wouldn't be hard to write a Linux ip_nat module for zephyr that would allow multiple clients and would not require hardcoding the addresses of zephyr servers. However, to my knowledge no one has done so, and I'm not going to do it.