From: Albuquerque NM USA
ISA Server 2004 does not do 1:1 NAT, but rather offers "server publishing." This is a process whereby you make services on one network available to another network, subject to ISA Server's access policy.
That said, what precisely do you need to accomplish?
We are an ISP and we give each of our customers a static IP in the 10.x.x.x range, and all the traffic runs through one of our real IP's. (Masq/NAT whatever.)
So far all of our customers have been residential and not needed to run servers.
However, a new customer is a business, who wants to run servers of all sorts, and wants 32 real IP's.
(In this case, we're using fiber optic to deliver connectivity to the customer.)
Thus, precisely what we want to do is route a block of real IP's through our ISA2004 firewall, to the LAN side, so that the IP addresses of the network cards at the customer's premises will actually be real routable IP's -- thus they would have no trouble running any servers, and their servers would know the IP's of said server's clients.
If that's not doable, then next best would be for us to be able to give our customer a block of 32 IP's in the 10.x.x.x range, and directly map them to 32 real IP's, so any traffic coming in on any of the real IP's would be forwarded on to it's respective 10.x.x.x IP.
From: Albuquerque NM USA
If I understand your question, you're wanting to do 1:1 NAT, which is not available with ISA Server. ISA Server does N:1 NAT (Cisco and others call it PAT or NAPT). ISA Server does offer server publishing, which lets hosts from one Network (Network with a capital N, e.g. a Network object in the ISA Server) access hosts on another Network, subject to the ISA Server's access policy.
Yes, you understand my question. It was 1:1 NAT I wanted to do, or better yet, I wanted to relay packets from the Internet (External) direcly to the LAN (Internal) without modification, provided they were "to" a specific range of real IPs. (That way, some computers on the LAN side could have REAL IP's assigned to them, and act as full servers.)
However, since we can do neither, we're just publishing each 10.x private IP onto each real static IP, as need be.
Thanks very much!
PS: I have noticed in ISA2004, in the configuration->Networks->Network rules section, you can set network rules to be "NAT" or "Routing" and it explains that Routing doesn't translate the addresses. I don't know what that feature is good for, though.