Firewalls & NAT
Firewalls and AMANDA should be pretty easy to set up. Just pick user UDP and TCP port ranges, build AMANDA with them (--with-udpportrange and --with-tcpportrange) and let them through the firewall. You also need to let the well known AMANDA ports through, just as you would ftp or telnet.
NAT has other issues. If the AMANDA client is "outside" NAT, there should not be a problem for backups. Sendbackup will set up the ports and tell dumper what they are. Then dumper will connect to them from "inside" and NAT should leave that alone, although it doesn't really matter since sendbackup does not care who connects to it (other than it not be ftp port 20).
If the AMANDA tape server is outside, NAT will have to be told how to translate the incoming connections from dumper to the client. To do that, the UDP and TCP port ranges will have to be known and only one client can be inside.
The reverse is true for amrecover. If amrecover is run from inside NAT, there should not be a problem -- it's just like running ftp or telnet. But from the outside, NAT will have to know where the amindexd/amidxtaped services are and allow them through (much like ftp or telnet daemons). Since they are on known port numbers, the user TCP port range is not an issue.
A user TCP port range is probably not important in the case of dumper and taper talking to each other since only the one machine (localhost) is involved and so it does not go through a firewall. But I could be wrong, especially if NAT is involved.