From your description, you have a company that's using an ISP services for Web Hosting and Mail. Their connectivity to the internet is also probably through the ISP as well, so in theory, there are two different types of targets.
Your first target is going to be the web/mail server. This is the IP address you should receive when you whois their web server. Most likely, their web server and mail server are on the same box (most likely in a shared hosting configuration). Your legitimate pen testing on this box will most likely be in the app pen testing arena, but you won't be "in the company" if you can get any access.
The second target is going to be the company connection to the internet itself. If the company is using a standard ISP for connectivity, they probably have a DHCP assigned address, and they are just like any average home user connected to the internet. Performing black box recon against a target like this is difficult at best.
If you are testing assets owned by an ISP, used by a 3rd party company, make sure your written agreement has verbage that addresses any concerns of the ISP in case they come hunting you down.
Poking at security since 1986. +++ATH