Cisco ASA VPN - and access-list inside-access-in effect on remote VPN client /user trying to RDP to internal server

A user - connects to our IPSEC VPN on our ASA.

Do i need to consider the access-list inside-access-in  (ACL) - I am trying to tie down the access ports going out from our LAN.

When a user connects to our VPN they get an address 192.168.50.x - If I block RDP down to say only a jump host allowed to go in the ASA inside interface  and out to the DMZ - Would this then block a VPN user from doing  rdp to a server on the Inside of the LAN.

Sorry im -  not sure what interfaces come into play when an external user VPNs from external through the ASA to get onto our LAN

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Inside users should not be affected if the users and RDS server are in the same subnet or they are in different subnet with routes which travels over your router.  Take a look at your IP settings on a computer and then the one on the server and most likely they are the same.  Firewall only comes in the picture if you connecting to other subnets over the firewall (i.e. external or DMZ networks).
Jan SpringerCommented:
VPN accounts are in a different subnet -- yes, you need to update the inside ACL.
philb19Author Commented:
Thanks Jan - I think this is where I Im lost a bit. YES the servers are on a different subnet. Now when Im connected to vpn (asa ipsec) I run a tracert to the server subnet - (and no hops - straight there - no gateway used. - So heres my confusion (wish I had diagram) - how is the traffic traversing to these subnets.- through the ASA (inside interface ? )

note - there is a route entry on the asa for these server subnets.
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Jan SpringerCommented:
What is the subnet of the remote VPN client (with mask)?

What is the local subnet?

Three things that I expect to see:
   1) The encryption domain -- this is the ACL that defines interesting traffic to be encrypted between the end points

   2) The nonat access list should include conversation between these subnets

   3) The inside access list should allow traffic to return to the VPN subnet
philb19Author Commented:
What is the subnet of the remote VPN client (with mask)?
192.168.50.x/24  this is the VPN IP range that is dished from the asa

What is the local subnet? - you mean the server on the INSIDE side of the ASA that are RDPd to?


   3) The inside access list should allow traffic to return to the VPN subnet

so any ACL I apply to the inside ASA interface should allow traffic to 192.168.50.x/24  ?

Jan SpringerCommented:

Samples of ACLS:

access-list REMOTEVPN extended permit ip
access-list NONAT extended permit ip
access-list INSIDE_IN extended permit ip

Obviously, the access list names need to be changed and you can further refine access to specific IPs and not the entire subnet.

The only thing to be careful with is that the encryption domain (ACL REMOTEVPN) is an exact inverse match on the two firewalls.
philb19Author Commented:
great thanks - Im just having trouble visually myself  seeing how an external VPN user traverses back through the inside-interface of the ASA. The vpn config client points to the outside interface of the asa to make the connection. - I guess im missing something basic in understanding how it all works.

Also can you please explain this point

   2) The nonat access list should include conversation between these subnets
is this and the remotevpn acl you wrote applied against an interface ?
Jan SpringerCommented:

The nonat applies to any NAT being done on the inside interface.

If you have 8.2 or earlier it'll look something like "nat (inside) 0 access-list NONAT".  If it's 8.3 or later, it'll be defined in a nat statement most likely using objects.

The remotevpn acl is defined in the crypto map ## for that peer.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
philb19Author Commented:
The remotevpn acl is defined in the crypto map ## for that peer.

Sorry just to be clear this is a remote access VPN - not a site to site VPN - Does that change the above statement - or any of your answers?
Jan SpringerCommented:
Only in that the "remoteacl" may be specified in the group-policy of the dynamic vpn if it's selective split tunnel.
philb19Author Commented:
I found this check box in asdm

Enable inbound IPsec sessions to bypass
interface access lists."
its currently ticked

Does this do away with my requirement gor acl on inside interface to allow traffic back to the vpn subnet?
or is that just inbound to the outside interface? bypassing the outside-access-in ACL for ipsec sessions?
Jan SpringerCommented:
It sounds like that should do it.  I don't use ASDM (only CLI).
philb19Author Commented:
Awesome all worked out thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.