Clarification on the network setup.

Hi Experts,

I really need an expert to guide me through this. I am not a good networker but I will try to put the scenario here .

i have a cisco 6509 core switch with svi interfaces and vlans on the local access switches that are c3750 model. The structure comprises of 100 x layer 2 switches. The layer 2 switches are all configured as access ports only and are assign to their vlans. The access points have uplinks to the core switch via fiber and traffic is allowed on the trunks.

One of the contractors came and installed a web base device and created its own isolated LAN and have also connected a router on that device. The contractor asked for internal IP and ethernet cable that is connected to one of the ports in my access switch in vlan 10 and I provided the internal IP from vlan 10. The contractor configured the static IP, my svi gateway and now my users in vlan 20 can access the device url as requested by the business. At the time I did not know much about this setup and I did not care as I treated it as an isolated workstation that needed to be access via URL. The IP I provided from VLAN 10 is not advertised to internet But this vlan 10 is use for all the devices in this facility as it is  used for terminals and other environmental devices. The users are in different subnets but they still can access vlan 10 devices for support reason but they are internal users in the same domain.

The contractor went to the higher management and now he wants a remote access to this isolated LAN / device from his headoffice. My manager who is not a network person asked me if I did put a NAT router infront my access switch facing the device and gave ACL to allow users in vlan 20 to access the device?

I told him I have ACL applied in SVI - vlan 10 interface of my core switch and it blocks every subnet except vlan 20 subnet to access that static IP.

Is my manager correct that I need to provide a NAT router infront of that device ? How does NAT router applied in this situation ? Do I really require NAT router infront of my access switch before connecting to this device. Did I do anything wrong here?

I know the router the contractor installed has 2 interfaces and I think one interface is configured with my IP and the other interface should be pluged to internet and he should configure a vpn TUNNEL IF he wants to remote access his device. What is the best way to do that?

My goal is to protect my end of the LAN from any foriegn access.
SR ZakNetwork Solutions Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nat stops any access coming for outside. Like direct attacks on SMB etc.
If you add UPNP people can accept external connections (like skype or torrent)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
In order for the contractor to initiate a connection from the Internet to "his" device it needs to be NAT'ed to a public IP address (assuming that it has a private IP address currently).  Or you need to setup a VPN server on your network that he is allowed to connect to.

Even if you use the second interface on his device, it still needs a public IP address from your Internet connection.  I personally would be scared to death to give the second interface a public IP address because you have NO control over who might try to connect to his device and my guess is you have no control over the security on his device.  If somebody breaks in to his device, they have access to at least some portion of your network.

I would rather NAT and create a policy that allows inbound access only from his head offices IP address.  That way I control as much as I can.
SR ZakNetwork Solutions Author Commented:
Ok I understand he needs his external interface to have public IP and he should NAT it and he can excess his router by DMVPN tunnel.

I have ACL on my end of the router that just allows us to access one terminal via web. We can not ping the internal ip.

I know that NAT is used if the IPs are same or if you want to translate internal IP to external. Am I right ?
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

If his device has a public IP address, he does not need to use a VPN.  He could go straight to his device.

The only time he would need a VPN is if his device does not have a public IP address.
Is VLAN 10 limited to internal resources/sensitive data?

Depending on what was installed, I would advise of the potential risks with allowing a remote access to that device this vlan.  while it is on.
I.e. if the vendor is compromise it also compromises your system.
In the current scenario once this system gets external access it could be used to
SR ZakNetwork Solutions Author Commented:
Thank you all for contributing to the discussion. I wil take it from here.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.