I have a situation where I'm needing to allow an IPSec client (Windows, software-based classic IPSec using ESP+AH+UDP) to be able to reach a site out over the public Internet. The problem is that the Windows workstation is nested three levels deep in internal networks away from the public Internet, and presently there is no direct NAT or any kind of direct routability to the public Internet at all.
From the Internet to this deep internal network, there exists this following path:
Raw Internet -> T1 line connected to C1721 router -> ASA5520 firewall -> C3845 router -> Internel LAN network #1 at location "A" using Catalyst switch infrastructure (this network is all RFC1918 privately addressed) -> Another C3845 router with extensive ACLs as an interior firewall -> Another different internal LAN network #2 using another Catalyst switch stack at location "B" with completely different RFC1918 private address scheme -> Windows PC at location "B" residing on this LAN that needs to be able to IPSec VPN to a site out on the public Internet.
How can I make this work when I'm legally prohibited from installing a directly-Internet-connected firewall directly to the interior LAN at location "B"...it's a law enforcement agency with strict connection rules... yet I'm being expected to make this deal work within the existing physical framework of the network architecture?