Wow! This does get interesting!...
Code:
ME: COMPANY XYZ:
+------{ Internet }------+
(MY_FW) |<=( Encrypted Tunnel )=>| (XYZ_VPN_Peer)
320.55.55.1 | | 330.22.22.1
+-------------+-+ +-+-------------+
| My_Gateway | | XYZ_Gateway |
+-+-------------+ +-+-------------+
| |
+ 10.1.1.0/24 + 330.22.22.1/32
| (MyNetwork) | (XYZ_NET)
| |
+-+-- 10.1.1.1 +-- 330.22.22.1
| (NAT 320.55.56.1) (NAT 10.1.1.1)
+-- 10.1.1.2
| (NAT 320.55.56.2)
|
+--+-- (XYZEncDmnGrp)
+- 320.55.56.1
+- 320.55.56.2 I did not realized that, even though XYZ has their 10.1.1.1 address behind 330.22.22.1, I'd still need to hide my 10.1.1.1 address from them so that the traffic knows how to get back from XYZ. Also, because I have two computers on my side that need to FTP to 10.1.1.1 on the XYZ side, I could not play the same trick of using the gateway IP for my NAT. I would be forced to purchase two additional public IP addresses, or use a private range that's outside of what XYZ is using (which is not my preferred method).
In the above example, I used 320.55.56.1 and 320.55.56.1 for the NAT. When I communicate with 10.1.1.1 on the XYZ side, the IP I'd FTP to is the 330.22.22.1 address and XYZ would see the traffic as coming from either 320.55.56.1 or 320.55.56.2, depending upon which computer is in use. When the traffic returns, their firewall will send it back to the 320.55.56.x address and my firewall will translate it back to the 10.1.1.x address.
If I understand correctly, in order to accomplish this, I'd need to create two nodes for each participating computer on my side... One node of 10.1.1.1, with a NAT of 320.55.56.1, and a separate node for 320.55.56.1, which would participate in the "XYZEncDmnGrp" group to allow the communication through the VPN tunnel.
Thanks, again, for all the help! Did I miss anything that time?