It had an option when publishing ports to the outside world of "Requests appear to come from the ISA Server computer" or "Requests appear to come from the Forefront TMG computer".
This was handy for instance if you were publishing ports to the internet on WAN servers/local servers which didn't have that particular ISA or TMG box as it's default gateway.
This can be particularly handy if you wanted to load balance traffic across two links or simply as a backup way of getting into your network remotely if your primary link fails.
It basically modified the source address of any incoming connections so that it appears to the internal client as coming from the routers internal side IP.
This guide below shows exactly how to achieve this with a Cisco router running IOS 12.4.
In a typical scenario, you might have a router configured with ADSL and a Dialer interface with "ip nat outside" and a "Fa0/0" or "G0/0" LAN interface with "ip nat inside"
It may look like the following:
description ISP ADSL2+ Interface
ip address negotiated
ip nat outside
dialer pool 1
ppp authentication chap callin
ppp chap hostname email@example.com
ppp chap password 7 06675F141A1F064F25
description LAN Interface
ip address 192.168.0.1 255.255.255.0
ip nat inside
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.15 25 interface Dialer0 25
ip route 0.0.0.0 0.0.0.0 Dialer0
The problem with the above configuration is that the NAT only travels one way. What we want to achieve is a bi-directional NAT.
We need to remove the "ip nat inside" and "ip nat outside" lines from both the Dialer0 and FastEthernet0/0 interfaces and replace with "ip nat enable". This means now that we can configure NAT to work both inbound and outbound.
For the below example, we assume that my ISP has assigned me a static IP of 188.8.131.52.
The server I want to publish is a Web Server on IP 192.168.0.55
Assuming that your current configuration is like the above, we would type the following:
no ip nat inside
ip nat enable
no ip nat outside
ip nat enable
no ip nat inside source list 1 interface Dialer0 overload
no access-list 1 permit 192.168.0.0 0.0.0.255
ip access-list extended NAT_OUT
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended NAT_IN
permit ip any host 184.108.40.206
ip nat source list NAT_IN interface FastEthernet0/0 overload
ip nat source list NAT_OUT interface Dialer0 overload
ip nat source static tcp 192.168.0.55 80 interface Dialer0 80
And that's it! Now when connections are made to the public IP, they are translated internally to the web server but the source address appears as 192.168.0.1 - the IP address bound the the Fa0/0 interface.