Security Policies ASA 5505

Can someone help me get my head around writing policies for this? I have 3 interfaces set up on mine (DMZ, INSIDE, OUTSIDE).

For example I want to set up a rule to allow me as a VPN user (I can get connected, but thats it so far) to use Remote Desktop to my workstation in our office.

I have the laptop set up to get IP 192.168.5.10 when it connects. the workstation is 192.168.16.35. I know that remote Desktop is Port 3389.

Do I create a rule in the outside or inside section? I am somewhat new at this and am getting a bit confused on the fact that it comes in on the OUTSIDE interface so I think I should set it up there, but my workstation is on the INSIDE so I figure I have to do some NAT magic or something.....

TIA for any help you can give me.

Tim

What type of VPN are you using? Are you VPNing into the ASA?

Normally, without a VPN you need:
1) An ACL/Policy applied to the OUTSIDE allowing access from the outside to the inside server with a port of 3389.

2) You will need a magical static NAT translation between your external IP address and the internal server you want to connect to.

However, if you connect via VPN and are on the same VLAN and INSIDE interface, I don't think you need any of that Jazz because you are connected via VPN...

What type of VPN are you using? Are you VPNing into the ASA?

Its a remote access VPN to the ASA, I will eventually have our 10-15 remote users set up to use this once I have all the kinks worked out.

Normally, without a VPN you need:
1) An ACL/Policy applied to the OUTSIDE allowing access from the outside to the inside server with a port of 3389.

2) You will need a magical static NAT translation between your external IP address and the internal server you want to connect to.

It was recommended through a newsgroup that I set up a different subnet for my VPN users. So I created a Pool and assigned it to the tunnel. So now I have VPN users that will be connecting as 192.168.5.x and the LAN (INSIDE) is 192.168.16.x Doesn't this add complexity, as I now think I need to change the .5.x to a .16.x to get it to work on the internal LAN or am I missing the mark?!?

timparker,

Honestly, I am not the best person to talk to because I do not have a great deal of experience with remote access VPNs; however, I believe you still need a static NAT translation from your remote VLAN to your internal VLAN. You will also need an ACL/policy allowing the 3389 traffic from the remote VLAN to the internal VLAN.

You *could* change the .5.c to .16x, but it is more secure to leave them in different VLANs.

What is your overall goal? A user connects to the VPN then needs to remote desktop to another PC?

that is just one thing that some will need (admin mainly). For the most part it will be opening some network shares to edit, use files, hit a couple internal web sites (custom applications).

Thanks for the help! I was able tonight to get it working and connect through the VPN! I did change the VPN clients to 192.168.5.x.

I do now have some other questions which I did post to comp.dcom.sys.cisco on VPN clients and best practices/how-to.

If anyone is an expert with this or at least has some experience. Please speak up. I do have some more questions for when I start testing with more than one user.

I am now off to figure out my specific rules and NAT that is needed.