We have a Site-to-Site VPN from ISA 2004 to CP NG configured as follows:
ISA 2004 - based upon the Configuring IPSec Site-to-Site Connections Between ISA Server 2004 and Third-Party Gateways Documentation
Remote Site VPN using IPSec Tunnel Remote Site GW: 188.8.131.52 ISA Local External: 184.108.40.206 Remote Address Range: 220.127.116.11 - 18.104.22.168 DMZ Network: 172.16.0.0 - 172.16.255.255
Rule to allow traffic in both directions DMZ -> Remote / All Traffic / All Users Remote -> DMZ / All Traffic / All users
Our problem is that when we try to ftp from a host at (172.16.0.188)-DMZ to (22.214.171.124)-Remote we get notification in the event viewer that the tunnel has been established, but we get no response from the 126.96.36.199 FTP Server.
The partner needs to see that the request is coming from 188.8.131.52 and not 172.16.0.188 as it shows in the logs.
How does one create a NAT in ISA 2004 so that the traffic from 172.16.0.188 appears to be coming from 184.108.40.206?
ISA doesn't have this IP address (220.127.116.11) assigned from the description you provided - it is an IP in the remote subnet. ISA can't NAT from this IP address if it's not assigned - that would be a spoofed packet.
Thank you for that information. My next question would be that since the "Business Partner" has told us that our assigned IP range for devices that they will accept connections from is 18.104.22.168/30. Therefore we chose the first address 22.214.171.124 and need to NAT that to our DMZ address 172.16.0.188 for the FTP Server.
The Site-to-Site VPN configuration has this network block assigned to it 126.96.36.199/16 "Partners internal range including our block they gave us" as well as their gateway 188.8.131.52.
They inform us that they have hundereds of partners doing it this way, so it should be simple, however we just can't seem to get it to work.
I guess ultimately we need to know how we make an FTP server behind ISA 2004 in a DMZ allow connections from their address block. Also, we need to be able to FTP back to them to an address of an FTP server (184.108.40.206).
Thanks. If you need a drawing of this configuration, please give me your email address and I will send one.
Actually the 220.127.116.11 address is for the FTP server protected by ISA 2004.
I believe that I have this working now, however, I had to create a completely seperate network in ISA 2004 and had to bind 18.104.22.168 to the DMZ card on FTP and 22.214.171.124 on ISA 2004 DMZ and setup multiple persistent routes in the FTP server for the hosts at the partner end using ISA as the Gateway.
In fact, other than the Site-to-Site VPN IPSec Tunnel in ISA 2004, this turned out to be totally a "Routing" configuration within ISA and on the FTP Server itself.
Thanks again for your questions as they had me re-think the problem.