I really need an expert to guide me through this. I am not a good networker but I will try to put the scenario here .
i have a cisco 6509 core switch with svi interfaces and vlans on the local access switches that are c3750 model. The structure comprises of 100 x layer 2 switches. The layer 2 switches are all configured as access ports only and are assign to their vlans. The access points have uplinks to the core switch via fiber and traffic is allowed on the trunks.
One of the contractors came and installed a web base device and created its own isolated LAN and have also connected a router on that device. The contractor asked for internal IP and ethernet cable that is connected to one of the ports in my access switch in vlan 10 and I provided the internal IP from vlan 10. The contractor configured the static IP, my svi gateway and now my users in vlan 20 can access the device url as requested by the business. At the time I did not know much about this setup and I did not care as I treated it as an isolated workstation that needed to be access via URL. The IP I provided from VLAN 10 is not advertised to internet But this vlan 10 is use for all the devices in this facility as it is used for terminals and other environmental devices. The users are in different subnets but they still can access vlan 10 devices for support reason but they are internal users in the same domain.
The contractor went to the higher management and now he wants a remote access to this isolated LAN / device from his headoffice. My manager who is not a network person asked me if I did put a NAT router infront my access switch facing the device and gave ACL to allow users in vlan 20 to access the device?
I told him I have ACL applied in SVI - vlan 10 interface of my core switch and it blocks every subnet except vlan 20 subnet to access that static IP.
Is my manager correct that I need to provide a NAT router infront of that device ? How does NAT router applied in this situation ? Do I really require NAT router infront of my access switch before connecting to this device. Did I do anything wrong here?
I know the router the contractor installed has 2 interfaces and I think one interface is configured with my IP and the other interface should be pluged to internet and he should configure a vpn TUNNEL IF he wants to remote access his device. What is the best way to do that?
My goal is to protect my end of the LAN from any foriegn access.