Hello Christian,
your objectives are unclear to understand by me, I don't know what is in your example external IP address, is it public IP address of far-end uderlying connection in Internet over which you setup Tunnel between Companies or is it far-end subnet you want routing and connectivity?
Quote: We need a NAT rule that forwards incoming traffic to the router's external IP to the router's LAN address range."
with a port forward rule we got access to an end device via the external IP of the router. But that doesn't help us, we need access to all devices connected to the router.
I guess there are two (or even more) different approaches and designs here, to be consider, what you really need to configure in your case:
1) Routing between Companies-LANs with using VPN-Tunnel (no additional NAT operation required, this allows to utilitize all ports for all hosts, just like in normal LAN). In such case, you configure Firewall two zones that will allow traffic between companies:
{CompanyA} RUT-LAN -> VPN-Tunnel {Company B}
{CompanyB} VPN-Tunnel -> RUT-LAN {Company A}
+
add some corresponding static/dynamic routing at both ends /routers/ that will direct and forward traffic over LANS over setup VPN-Tunnel. In this case you will have full connectivity and can utilitize all ports to LAN connected behind RUT, for remote support.
Alternatively, you can create rule S-NAT or D-NAT subnet of Company-A connected RUT240 into external IP (like point-to-point subnet of VPN-Tunnel) and create rules for PAT - Port Address Translation. However this approach will allow you to have and operate one-to-one NAT bindings, so when you will try connect from Company-B (your subnet) through Tunnel-VPN, meaning for every host placed behind RUT-LAN you can use only once the same port, so you cannot use it again in other rules (like repeating same port).
What I'm saying is, if you want to use common well-know ports like: HTTPS/443 or Remote Desktop - 3389 - this will not be possible to clone or duplicate rules - you will need to build other rules with using different ports like : 443x [1-9] for every single host and many entry rules.
2) Access remote devices via Internet-outside-public IP address (with using NAT from private->public IP + PortForwarding rules).
In this case, you utilitize outside-public-Internet IP address of Company-A, and create NAT Rules at RUT240 + set PortFowarding rules. Same behavior happens what I wrote above.
You can create rule S-NAT or D-NAT subnet of Company-A connected RUT240 into external IP (but in this case it's public routable IP address in Internet not VPN) and create rules for PAT - Port Address Translation. However this approach will allow you to have and operate one-to-one NAT bindings, so when you will try connect from Company-B (your subnet) through Internet, meaning for every host placed behind NAT - network connected to RUT-LAN you can use only once the same port, so you cannot use it again in other rules (like repeating same port).
What I'm saying is, if you want to use common well-know ports like: HTTPS/443 or Remote Desktor - 3389 - this will not be possible to clone or duplicate rules - you will need to build other rules with using different ports like : 443x [1-9] for other hosts.
What comes better to my mind is to place another jumper-Server in RUT-LAN network. Thanks to that you can create only one PortForwarding rule entry for 443/3389 to that single jumper-server. Then you set connect from your Company-B into that Server at Company-A (whatever if this VPN or Internet) and then from that Server you jump to other machines you want support and create another (internal) session like HTTPS/SSH/RDP etc. using ports you want, because you trigger it in same LAN segment - meaning this traffic no longer be inspected by gateway RUT Router - it's treated as normal traffic in LAN segment.
I hope I gave you some theoretical cluse to find your approaches. But it's also worth to know some limitations. Wish you good luck.
Kind Regards,
Robert.