We currently have some services which we use and that are mananaged by a partner.
Internally we connect to the services using their private space address as the traffic is routed via a vpn gateway.
As we want to access the services via our SSL VPN solution we need to NAT the private space address to public space addresses so they are routable.
I've managed to achieve this on my linux box, I added an public space ipadrress to the nic and with an IPtables rule I DNAT it to the private space addres.
I now tried to do the same on my ISA2004 box, I added a public space address to the internal nic, I created a server publish rule to forward the POP3 traffic to the private ip. I've set the listner to listen on the internal interface.
Unfortunately this doesn't work, anyone who could help?
Server Publishing Rules are only possible when the Source NATs to the Destination. In a typical environment, the Internal network NATs to the External.
What you're trying to do is the reverse of this scenario - you want some External Host to NAT to the Internal network - essentially, establish a Listener on the Internal network adapater of ISA.
It's feasible that you could create a "Computer" object for the remote host and then create a Network Rule that states "Computer NATs to Internal". You could then create a Server Publishing rule that listens on ISAs Internal network object for the specific protocol and translates this to the remote system. I've never done it, but can't think of a reason why it won't work.
This Network Rule I mentioned above isn't too muc of a security risk as access is governed by 3 things.
1. A Network exists for the Source and Destination 2. A Network Rule exists for the Source and Destination 3. An Access Policy exists for the Source and Destination.
For External systems attempting to connect to your internal network through the NAT relationship I mentioned, you are only creating the first 2 of these 3 requirements.
Note : You'll need to remove the public address from the ISA Server's internal network adapter.
That's what I tried, the private destination address is part of the internal network. A proper static route has been added. The destination server is reachable from other isa box (after allowing localhost to internal).
A network rule is setup to nat from internal to the destination. A publish rule is set-up to listen on port 22 and the assigned ip on from the internal.
The moment I change the listner to external it works straight away from the internet (not desired).
Thanks for your help, you pointed me in the right direction.
Here are the steps that I took to get a working setup:
0. Setup the proper static routes to the private hosts and confirm the hosts are reachable from the ISA server.
1. Create a new network called NAT Hosts, add the public space ip addresses to this network. Ensure they have been removed from the internal network otherwise you will get an error when trying to add them.
2. Create computer opbjects for the private space hosts.
3. Create a new network rule, with the following specifications: NAT, source networks: the computer objects, destination networks: NAT Hosts.
4. Create new server publish rule: add the private server ip, select the protocol, select both internal and NAT hosts as the listners.On the NAT listner select the ip assigned to the server rule. Finish and Apply.
The thing that was causing me headakes was the fact that the internal network also had to be entered as a listner next to the created NAT network. If the Internal interface wasn't entered as a listner the traffic would be dropped as internal to localhost traffic.