We have around 400 end users not counting printers and other peripherals with Public IP addresses. We just upgraded our Ethernet Backbone to two 6500 Core Cisco Switches and 8 closets with 3750 stackable switches. We are using a User Vlan, Management VLan and Firewall VLan. We have a backup site we are connected to through an agency router in which we have no control over at all. There is a 2600 series router on the HQ side and one on the backup site that both are routed through the agency router. The 2600 series routers will be eventually replaced with 1800 series routers.
Here's what we would like to do. I do almost all of the research here for networking, and I am not an expert. In our remote site, we only have about 5 servers with Public IPs. Each server has an RSA adaptor card in it for Out Of Band Management. I want to configure the RSA adaptors with private IP addresses and be able to control them from HQ and be able to control them from the backup location as well, (from the public IP addresses). I played around with NAT and was able to get out from the private IP addresses, but cannot configure it to go from the public IP addresses to the private. The agency will not route a private IP address.
I have tried exploring VPN and could not figure out how to use it for this scenario. I need to go from our public IP from HQ, through the firewall, through the agency router, into the other firewall, through that router, then into a private IP, keeping the existing public IP for the servers. The Firewall guy doesn't want to make a VPN with the firewall, and we cannot use a server because the RSA cards have to be assessable even when the servers are down.
Can this be done with just Cisco routers? Is there any documentation that gives step by step, or has been written for someone who has knowledge of Cisco, but is not an expert? We do not have a problem using private IPs for the servers at the backup site as long as we can connect during a switchover if we need to bring them up. But we would have to keep public IP's routed from HQ to the backup site since the agency will not route private IP's.
Thank you and all ideas are appreciated. Also, I have the 1800 router in my LAB to test prior to deployment.