This isn't really a linux question, but you guys are sharp, so maybe you have an answer!

I have a router that connects up to a corporate intranet that all the franchises can access. Its private IP of the ethernet interface is 10.27.164.238. My gateway is setup so if a workstation points their browser to a domain in a certain subnet, the gateway will pass the traffic off to that router. If I static NAT a public IP address to the ethernet interface of that router, is there anyway I can access the sites on the corporate intranet without modifing my gateway at home? I need a solution that would preferably work with Windows and Linux so IP Tables might be off the table.

Thanks!

I'm not sure I got the question. You've got something that looks like this -

So you want to access the intranet on a server, and what is stopping you?

Sorry for the confusion. Here is the situation:


Work LAN (10.27.164.X) -------- NAT Device ------> Internet (via SBC T1)
|
|
L----------> Corporate intranet (via Corporate T1)

So if I configure a public IP to statically NAT to the local interface on the corporate intranet router (10.27.164.238) how can I get remote PCs to access sites out that coporate router?

So, if I understand you correctly, the NAT hides the IP addresses on the corporate intranet from the outside world and maps them to a static IP (which is a very common practice).

This implies that any remote machine only sees 1 "external" IP address, namely the static IP address that is given by the NAT, which should be the IP address from the router that's doing the NAT.

Basically, the NAT will make any computer on the corporate LAN unreachable via it's own IP. So, you simply can't get to the server via it's IP on remote machines. Remote machines can only contact the public IP, which is routed to the appropriate machine by the NAT.

So, what you'll need to accomplish is:
-Either disable the "NAT" for the web server(s) you're trying to access. All machines accessible from remote machines should have their own public IP address. This however has serious security implications.
-Or configure your NAT/router to route all incoming traffic on port 80 to one particular web server. I don't think you can configure it to go to more than one web server, unless you apply some kind of load balancing or a kind of "backup" web server (that takes over from the primary when it fails).

A firewall maybe an appropriate solution to this issue too. This firewall will need to be on the corporate network (not on your remote Win/Linux machines) and will need to filter all incoming and outgoing traffic. The router will then have to route all incoming traffic to the firewall and the entire corporate LAN will need to use that same firewall for outgoing traffic.

Sorry for the confusion guys, I don't think I am explaining this well.

The work lan (10.27.164.X) has 2 routers, one has SBCs T1 out to the ordinary internet, and the other T1 comming in goes out the other router (10.27.164.238) to the corporate LAN. When you type in an address that resolves to a subnet on the corporate network, the firewall/NAT device (which is the gateway for all the PCs) will foward the traffic to 10.27.164.238 and out to the corp. LAN.

SO...

If I statically NAT 10.27.164.238 to a public IP such as MY.PUB.LIC.IP I could in theory program any old WRT54G at the remote location to say, OKAY, anything in XYZ subnet, hand it off to MY.PUB.LIC.IP. There are only 2 problems with that senario. 1. I want to reference the corporate sites by their FQDN, not by IP address, 2. I don't want to have to program a router (WRT54G for example) to make that routing decision because in a lot of cases, I won't have access to the router (if I am at a WiFi hotspot etc).

If I understand your explanation correctly, you noticed that your router that connects to The Internet via SBC is the "default gateway" for the clients on that LAN. You then noticed that that router sends all requests for corporate LAN stuff to the router at 10.27.164.238 instead of out to The Internet. You now want to tell your home router to use 10.27.164.238 the same way, so it can "see" your corporate LAN? The problem is, everything 10.xxx.yyy.zzz behind the SBC router is a "private IP" address so any router on The Internet that you ask to send you there will just drop the request. If you somehow managed to open up a route to that network that you could get to from across The Internet, then potentially anyone else on The Internet could use it also. This would likely make whoever runs the corporate network just a little upset with you.

If you just want a way to access your corporate LAN from The Internet, the typical solution to this that many companies use is called VPN. My suggestion is that you check with whoever runs your corporate LAN and see if they have a VPN implimentation in place and if you can have your [laptop] set up with the VPN software and an account. I also suggest not trying to set up your own VPN or router (this is known as a rogue network connection, admins kinda frown on it.)

Okay, thanks for the info.