RDP over VPN

Similar Questions

• SIP over VPN tunnel

  We have VPN tunnel in our firewall with the other partner peer. We use ASA 5520 with IOS "asa825-k8" and ASDM version 6.4.

  our partner has several services running in this tunnel VPN, including the SIP.

  other services work very well only SIP connections cannot come.

  the question is we allowed any IP service on the inside and outside interfaces, but this topic could not come to the top.

  is - there any SIP over VPN option must be configured on ASA?

  Hello

  As you can see in the newspapers, it is denied to the inside interface.

  If you just need to allow this by opening an ACL for this traffic on port 5060.

  I would like to know if it works.

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• SIP over VPN and 1.0.2.6 Firmware RV120W

  Updated 1.0.2.6 and all of a sudden devices SIP works via the VPN no longer work. Downgrade from version 1.0.1.3 and they work again. Any ideas? My guess is that some ports are blocked on the VPN in 1.0.2.6

  I thought the whole idea was that fixed bugs rather than introduce firmware ugrades.

  Suggestion for Cisco:-Zip downloads of image of the firmware, or have an upgrade process which includes a CRC check, as it at least the poor punter will have an indication if they have been damaged. I had a subtle memory problem that corrupts certain files. Download of the firmware seems to fill in correctly and you can log on OK but some menu choices resulted in a deadlock with the "Please wait... the page is loading" message. Thorough check of the file sizes revealed that the file I'm downloading in the router is different in size to those on the site, a few hundred bytes must have been corrupted during the download. But the download was normal with no indication of any errors. It's a pretty basic protection measure that should be there as a no-brainer with the router was conducting a CRC check and showing an error if it fails.

  Hello Michael,

  Maybe you have active SIP Application layer gateway. Please try to disable this SIP over VPN works great.

  Firewall--> avancΘs--> remove the checkbox of the SIP ALG.

  Thank you

  Nero - UNITED Arab Emirates

• Remote RDP client VPN access on ASA 5510

  Hello.

  We have configured the VPN tunnel from site of offshore to the location of the customer using ASA5510 and access to RDP to the location of the customer. Also been configured remote VPN access in offshore location. But using the remote VPN client, we are able to get the RDP of officeshore location but not able to access to the location of the RDP client. Are there any additional changes required?

  Thank you

  Hi Salsrinivas,

  so to summarize:

  the VPN client connects to the ASA offshore

  the VPN client can successfully RDP on a server at the offshore location

  the VPN client cannot NOT RDP on a server at the location of the customer

  offshore and the location of the customer are connected by a tunnel L2L

  (and between the 2 sites RDP works very well)

  is that correct?

  Things to check:

  -the vpn in the ACL crypto pool?

  -you're exemption nat for traffic between the vpn pool and 'customer' LAN? is the exemption outside (vpn clients are coming from the outside)?

  -you have "same-security-traffic permitted intra-interface" enabled (traffic will appear outside and go back outside)?

  If you need help more could you put a config (sterilized) Please?

  HTH
  Herbert

• Only permitted in specific protocol like RDP remote VPN client

  Hi, is it possible allow or restrict vpn clients to a specific protocol such as RDP to the authorized network (internal)? Most of the samples in Cisco allows the IP Protocol on the access list of the network of the boarding school for the IP pool which is then translated as Nat (0). I tried to only allow the RDP Protocol in this access list and it does not work.

  Thank you.

  Hi vivi, unfortunately vpn-filter is not posible in codes 6.x, this feature was introduced in the code 7.x and higher. You need to upgrade code 7.x or higher.

  http://www.Cisco.com/en/us/docs/security/ASA/asa70/command/reference/TZ.html#wp1281154

  On the other hand if you already have a group of tunnel for the vpn clients and you want to limit all this tunnel RDP group only and nothing else you do with your current code with an acl, not permit ip address but permit tcp and tcp port number port on vpn network host of destination... but this policy applies to all users of RA for this group of tunnel... no practice... as supposed using vpn-filters by user who allows to better control the individual users on the same group of tunnel without affecting others.

  Concerning

• NetBios Over VPN

  Hi all

  I have configured the site to site vpn b\w ASA 5510 ASA 5505.Its works fine, I can able to ping on the host of both sides.

  But I have the following problem

  1.I can access the shared folder of the peer host using its IP address.but I can't able to access it with the name of the computer for ex: \\akl13

  I think that maybe that's the problem with the NetBios/WINS by VPN service

  My question is how can I enable NETBIOS via VPN (site to site)

  I enclose the configuration

  ASA Version 7.0 (8)

  !

  ciscoasa hostname

  domain default.domain.invalid

  activate 2KFQnbNIdI.2KYOU encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  DNS-guard

  !

  interface Ethernet0/0

  nameif outside

  security-level 0

  192.168.2.6 IP address 255.255.255.0

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 172.16.1.1 255.255.255.0

  !

  interface Ethernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.1.1 255.255.255.0

  management only

  !

  passive FTP mode

  access extensive list ip 172.16.1.0 inside_pnat_outbound allow 255.255.255.0 192

  . 168.4.0 255.255.255.0

  outside_cryptomap_20 to access extended list ip 192.168.3.0 allow 255.255.255.0 19

  2.168.4.0 255.255.255.0

  pager lines 24

  asdm of logging of information

  management of MTU 1500

  Outside 1500 MTU

  Within 1500 MTU

  no failover

  ASDM image disk0: / asdm - 508.bin

  don't allow no asdm history

  ARP timeout 14400

  public static 192.168.3.0 (inside, outside) - inside_pnat_outbound access list

  Route outside 0.0.0.0 0.0.0.0 192.168.2.6 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00

  Timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  dileep STkzljfDxlzWJX9D encrypted privilege 15 password username

  Enable http server

  http 192.168.1.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  card crypto outside_map 20 match address outside_cryptomap_20

  peer set card crypto outside_map 20 192.168.2.7

  outside_map crypto 20 card value transform-set ESP-3DES-SHA

  life safety association set card crypto outside_map 20 28800 seconds

  card crypto outside_map 20 set security-association life kilobytes 4608000

  outside_map interface card crypto outside

  ISAKMP allows outside

  part of pre authentication ISAKMP policy 10

  ISAKMP policy 10 3des encryption

  ISAKMP policy 10 sha hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  tunnel-group 192.168.2.7 type ipsec-l2l

  IPSec-attributes tunnel-group 192.168.2.7

  pre-shared-key *.

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  management of 192.168.1.2 - dhcpd address 192.168.1.254

  dhcpd lease 3600

  dhcpd ping_timeout 50

  enable dhcpd management

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  Policy-map global_policy

  class inspection_default

  inspect the dns-length maximum 512

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  !

  global service-policy global_policy

  Waiting for your valuable response

  In order to achieve a workstation through WINS name resolution, there must be a WINS server shared on two workgroups networks if you want. NetBIOS over TCP is a feature that is enabled in the settings of real network on the PC and not on the firewall.

• Try to send all traffic over VPN

  Hello

  I have a Cisco 871 router on my home cable modem connection. I am trying to set up a VPN, and I want to send all traffic over the VPN from connected clients (no split tunnel).

  I can connect to the VPN and I can ping/access resources on my home LAN when I'm remote but access to the internet channels.

  If its possible I would have 2 Configuration of profiles according to connection 1 connection sends all traffic to the vpn and the connection on the other split tunneling but for now, I'd be happy with everything just all traffic go via the VPN.

  Here is my config.

  10.10.10.xxx is my home network inside LAN

  10.10.20.xxx is the IP range assigned when connecting to the VPN

  FastEthernet4 is my WAN interface.

  Kernel #show run
  Building configuration...

  Current configuration: 4981 bytes
  !
  version 12.4
  service configuration
  no service button
  tcp KeepAlive-component snap-in service
  a tcp-KeepAlive-quick service
  horodateurs service debug datetime localtime show-timezone msec
  Log service timestamps datetime localtime show-timezone msec
  encryption password service
  sequence numbers service
  !
  hostname-Core
  !
  boot-start-marker
  boot-end-marker
  !
  Security of authentication failure rate 3 log
  Passwords security min-length 6
  forest-meter operation of syslog messages
  no set record in buffered memory
  enable secret 5 XXXXX
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authentication login ciscocp_vpn_xauth_ml_1 local
  AAA authorization exec default local
  AAA authorization ciscocp_vpn_group_ml_1 LAN
  !
  !
  AAA - the id of the joint session
  !
  Crypto pki trustpoint Core_Certificate
  enrollment selfsigned
  Serial number no
  IP address no
  crl revocation checking
  rsakeypair 512 Core_Certificate_RSAKey
  !
  !
  string Core_Certificate crypto pki certificates
  certificate self-signed 01
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  quit smoking
  dot11 syslog
  no ip source route
  !
  !
  !
  !
  IP cef
  no ip bootp Server
  name of the IP-server 75.75.75.75
  name of the IP-server 75.75.76.76
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  !
  password username privilege 15 7 XXXXXXXXXXXXX XXXXXXXX
  username secret privilege 15 XXXXXXXX XXXXXXXXXXXXX 5
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  !
  crypto ISAKMP client configuration main group
  key to XXXXXXX
  DNS 75.75.75.75 75.75.76.76
  pool SDM_POOL_3
  Max-users 5
  netmask 255.255.255.0
  ISAKMP crypto ciscocp-ike-profile-1 profile
  main group identity match
  client authentication list ciscocp_vpn_xauth_ml_1
  ISAKMP authorization list ciscocp_vpn_group_ml_1
  client configuration address respond
  virtual-model 1
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  Profile of crypto ipsec CiscoCP_Profile1
  game of transformation-ESP-3DES-SHA
  set of isakmp - profile ciscocp-ike-profile-1
  !
  !
  Crypto ctcp port 64444
  Archives
  The config log
  hidekeys
  !
  !
  synwait-time of tcp IP 10
  property intellectual ssh time 60
  property intellectual ssh authentication-2 retries
  property intellectual ssh version 1
  !
  !
  !
  Null0 interface
  no ip unreachable
  !
  interface FastEthernet0
  !
  interface FastEthernet1
  !
  interface FastEthernet2
  !
  interface FastEthernet3
  !
  interface FastEthernet4
  Description $ETH - WAN$ $FW_OUTSIDE$
  address IP dhcp client id FastEthernet4
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  penetration of the IP stream
  NAT outside IP
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  type of interface virtual-Template1 tunnel
  Description $FW_INSIDE$
  IP unnumbered FastEthernet4
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  penetration of the IP stream
  ipv4 ipsec tunnel mode
  Tunnel CiscoCP_Profile1 ipsec protection profile
  !
  interface Vlan1
  Description $FW_INSIDE$
  IP 10.10.10.1 255.255.255.0
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  penetration of the IP stream
  IP nat inside
  IP virtual-reassembly
  !
  local IP SDM_POOL_1 10.10.30.10 pool 10.10.30.15
  local IP SDM_POOL_2 10.10.10.80 pool 10.10.10.85
  local IP SDM_POOL_3 10.10.20.10 pool 10.10.20.15
  IP forward-Protocol ND
  IP route 0.0.0.0 0.0.0.0 permanent FastEthernet4
  IP http server
  access-class 2 IP http
  local IP http authentication
  no ip http secure server
  !
  !
  the IP nat inside source 1 list the interface FastEthernet4 overload
  !
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 10.10.5.0 0.0.0.255
  access-list 1 permit 10.10.10.0 0.0.0.255
  access-list 2 Note HTTP access class
  Note access-list category 2 CCP_ACL = 1
  access-list 2 allow 10.10.10.0 0.0.0.255
  access-list 2 refuse any
  not run cdp

  !
  !
  !
  !
  !
  control plan
  !
  connection of the banner ^ CThis is a private router and all access is controlled and connected. ^ C
  !
  Line con 0
  no activation of the modem
  telnet output transport
  line to 0
  telnet output transport
  line vty 0 4
  access-class 2
  entry ssh transport
  !
  max-task-time 5000 Planner
  Scheduler allocate 4000 1000
  Scheduler interval 500
  end

  Kernel #.

  Thanks for your help!

  Hi Joseph,.

  You need a configuration like this:

  customer pool: 10.10.20.0

  local networkbehind router: 10.10.10.0

  R (config) #ip - list extended access 101
  R (config-ext-nacl) 10.10.20.0 ip #deny 0.0.0.255 10.10.10.0 0.0.0.255
  R (config-ext-nacl) 10.10.20.0 ip #permit 0.0.0.255 any

  type of interface virtual-Template1 tunnel
  Description $FW_INSIDE$
  political IP VPN route map

  R (config) #ip - list extended access 103
  R (config-ext-nacl) #permit ip all 10.10.20.0 0.0.0.255

  R (config) #route - map allowed VPN 10
  Ip address of R #match (config-route-map) 101
  R (config-route-map) #set interface loopback1
  R (config) #route - map allowed VPN 20
  Ip address of R #match (config-route-map) 103
  R (config-route-map) #set interface loopback1

  You must now exonerated NAT for VPN traffic:

  ===================================

  R (config) #ip - 102 extended access list
  R #deny (config-ext-nacl) ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
  R (config-ext-nacl) 10.10.10.0 ip #permit 0.0.0.255 any
  R (config-ext-nacl) 10.10.20.0 ip #deny 0.0.0.255 10.10.10.0 0.0.0.255
  R (config-ext-nacl) 10.10.20.0 ip #permit 0.0.0.255 any

  overload of IP nat inside source list 102 interface FastEthernet4

  Let me know if this can help,

  See you soon,.

  Christian V

• Relay DHCP over VPN

  Hi guys,.
  I have a problem with the implementation of DHCP relay mode on my VPN.
  The VPN works fine and I can access the remote router, printers, no etc. via their internal IP (192.168.0.xxx) no problem. My setup is as follows.

  A SRX5308 based in the United Kingdom with DHCP activated using ip/subnet addresses varies 192.168.0.50 - 192.168.0.100/255.255.255.0. The router has an ip address 192.168.0.1 and a reserved/static parameters of 192.168.0.2 to 192.168.0.40.

  A SRXN3205 based in France with initial settings of DHCP enabled using ip/subnet addresses varies 192.168.10.2 - 192.168.10.20/255.255.255.0. The router has 192.168.10.1 IP address.

  The VPN is set up through 2 COMPLETE domain name addresses using th VPN wizzard ends in order to define the policies and works fine without errors or school drop-outs.

  The problem of the french side. When I enable DHCP relay mode in the SRXN3205 it starts ok but do not relay the IP addresses of the United Kingdom.

  Any ideas?

  Just be aware that it is not really a good idea to run DHCP via a VPN, as if for some reason any VPN breaks down, computers on the remote site will not be able to get an IP address & the entire network it could enter the crisis...

  Personally, I use DHCP on the site with the server and I use static, remote sites. I could probably use a local DHCP server on each site, but for the number of computers involved, using static has been easier.

• Routing over VPN between ISA550W and RV215W

  Hello all I have a problem with the VPN between my two office

  I have an ISA550W at the head office (chcnorth)

  I have a RV215W to the remote desktop (chcsouth)

  the VPN is up and running, I can connect from Headquarters to remote control (chcsouth-RV215W)

  and vice versa however when client computers on the remote end are trying to connect to the

  Main office to access the database, they can't.

  the problem started last week I received a call from the remote desktop that they can connect to our database

  on the main office, I tried to connect remotely to see what was going on, it turns out that the router has completely put back

  at the plant, including the firmware

  I reinstalled the latest firmware for the RV215W of installation all connections as they were, I could

  get VPN to connect, I can ping to the interface of the RV215W from my seat and I ping the ISA550W

  the remote desktop, however my remote clients still cannot access my server at the main office

  I realized after I have everything set up, I had a backup of my original installation and thinking I had

  just missed something I restored it to the firmware to factory upgraded to power and restored the backup of the

  RV215W I've had. still no dice

  So I am now at a loss, there were no other changes to the network on both ends, I've been on this som my eyes several times

  are blurred,

  any ideas, workarounds for solutions would be greatly appreciated

  Thanks in advance

  John G

  John,

  It doesn't look like your question is more DNS related, as you can access the server by its IP address if the "connection" allows you to set up this way. It is quite common, that you cannot resolve names through the tunnel because netbios broadcasts will not pass. The RV215W have shared DNS within the parameters of the tunnel, so this isn't an option more.

  If the "connection" is a PC, you can work around this by editing the LMHOSTS file. Please see the following instructions:

  http://www.JakeLudington.com/Windows_7/20100924_how_to_edit_windows_7_lmhosts_file.html

  In your case, it might look more at:

  192.168.1.200 sqlsvr

  Now if you ping or try to access sqlsvr from the computer, it will automatically know that it should go to 192.168.1.200 without having to find the IP address.

  Answer please if you have any questions.

  -Marty

• Jabber/MOVI routing over VPN on VCS-E calls

  Hi all

  I have a problem with the situation to follow.

  -2 Movi Client via VPN Tunnel on the motorway-VCS connectet

  -the two VPN tunnel on the same subnet.

  -Ice set up NO!

  Now the problem is that the traffic is passing through the VCS-E but goes multimedia traffic, which is in this situation via VPN would not be allowed.

  Is it possible to configure something that all signaling and media traffic is going through the VCS-E if the two MOVI Client on the same subnet?

  Best regards

  Georg

  The call between the Jabber bot and video customers have the same contact address of sip and IP source address, then VCS will treat as non-traversal call (client is not behind the firewall).

  That's why VCS won't stay in media routing.

  You are able to configure the VPN client DHCP range for the different subnet IP address?

• NAT over VPN IP Pool

  Hello

  I just want to ask if it is possible to NAT pool users to remote access ip VPN to the router is outside the IP address? The router is a Cisco1841.

  Thank you!

  Patricia,

  Are you referring to Polo your RA IP pool using your external interface just like you with your LAN subnets in ip nat overload?, if so this link illustrates similar example using the road map, PLS let know us if this isn't what you're looking for and if you could perhaps develop as that is what you try to accomplish.

  http://www.Cisco.com/en/us/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

  Concerning

• AnyConnect: How to route ALL traffic over VPN

  In the past, when I use a built-in Windows VPN (PPTP), I could choose everything would go through the VPN, or if only the things that did not resolve been there. I copy/paste the VPN connection and rename them so we called something_all and the other something_std. I choose which one I needed and start this one.

  Now I use Secure Mobility Cisco AnyConnect Client (on my Windows 7 machine), I don't seem to have this option. I seem to be locked in a mode where only the URLS that fail to solve find themselves through the VPN. It works for the private areas, my employer. This means having access to machines which are not turned to the audience.

  My problem is that, sometimes, I want everything to go through it. For example, if I'm in Europe and that someone (in America) tells me that I need to visit a site and solve a problem, what I find is that despite type in American URL, I get redirected to the European site, because it is a public site. I want to switch the VPN in the mode 'road everything', or even better, to have a list that I manage areas I want to go through it (even if the all or nothing is all that I really need).

  Is this possible? I saw the option called something like 'allow access to the local network', but this doesn't seem to be something useful.

  The ultimate test is that if I go to one of these sites, what - is - my - ip - address, it does not say I'm in Europe, but on the contrary says: I'm in America (or as much as the goal of the VPN is, I have several choices of my employer).

  If instead of "tunnelspecified", we use the keyword "tunnelall" the value with 'split-tunnel-policy', which will push the route 0.0.0.0/0 for the session of your client.

  It is indeed the wildcard character that you are asking about.

• Two RV016, gateway to gateway, routing over VPN

  Hello

  I have two RV016, I have a vpn connection from gateway to gateway between the two and I can ping computers on both sides, but I can't reach the third lan (10.0.0.0/255.0.0.0). I can join this network to routerA but not of routerB.

  My Network typology:

  

  Configuration of routers (see attachments)

  How can I configure static routes on router B?

  I tried to do, but it does not work (see RouterB_routing.jpg)

  Can someone help me?

  Thank you.

  Krzysztof,

  
  

  Unfortunately the rv016 you cannot make static through the vpn tunnel routes as it isn't an ipsec interface in the static routes section of the router.  This is normal, the router will recognize that the default setting of lan in the vpn tunnel.

  
  

  You need to business routers to make the static routes through the ipsec tunnel.

• no nat over vpn after vpn

  I have a site (my ASA) vpn to the site (provider) with a nat on the external interface device and work well. Rear (my ASA) VPN I have other site vpn (service A) for the site (my ASA) and work as well.

  My problem is the traffic of my branch A provider is clearly have no nat.

  My ASA

  object-group network attached
  object-network 192.168.1.0 255.255.255.0
  object-group network provider
  network-object 172.22.0.0 255.255.0.0
  the allmyBranch object-group network
  object-network 192.168.0.0 255.255.0.0

  extended inside permit access list ip object-group reteInside-group of objects plugged
  access list inside extended permit ip object-group allmyBranch-provider objects
  allowed to access extensive ip list nat0_acl object-group reteInside-group of objects plugged
  list of access VPN-Hots extended permitted ip object-group reteInside-group of objects plugged
  list of access VPN-provider allowed extended ip outside of the provider object-group interface
  list of access VPN-provider allowed extended ip object-group allmyBranch-provider objects
  permit ToSupplier to access extended ip object-group allmyBranch-group of objects provider list

  Global 1 interface (outside)
  NAT (inside) 0-list of access nat0_acl
  NAT (inside) 1 access-list ToSupplier

  do you have any idea how solve it? is this possible?

  Thank you

  I'm glad to hear that.

  If the problem is resolved and that you find it useful, if Please assess the threat and mark it as answered :-)

  Thank you.

  Federico.

• ASA 8.4 (1) source-nat over vpn site-to-site

  I'm setting up a tunnel vpn site-to-site and require nat for the local and remote side. The remote side will be nat to

  10.2.255.128/25 on their face before they reach our network, so I have to only source-nat our servers via the tunnel to them. Should I just do the static NAT, then let the whole subnet through the acl of valuable traffic as the config below? I don't think I should use twice a nat because I'm not trying to make the destination nat on the firewall. Servers with us will 10.2.255.128/25 and I would like to preserve it through the ASA.

  network of the ServerA object

  host 10.1.0.1

  NAT 10.2.255.1 static (inside, outside)

  network of the object server b

  host 10.1.0.2

  NAT 10.2.255.2 static (inside, outside)

  the object server c network

  host 10.1.0.3

  NAT 10.2.255.3 static (inside, outside)

  the LOCAL_SUBNET object-group network

  object-network 10.2.255.0 255.255.255.128

  the REMOTE_SUBNET object-group network

  object-network 10.2.255.128 255.255.255.128

  VPN_ACL list extended access permitted ip object-group LOCAL_SUBNET-group of objects REMOTE_SUBNET

  Thank you

  Your configuration is correct, but I have a few comments.  Remember that NAT occurs before the delivery of your servers will be translated into 10.2.255.2 and 10.2.255.3 and then sent through the tunnel, so your encryption field is correct.

  Is your internet firewall as well? What your servers out of the internet?  They will be translated to 10.2.255.2 and 10.2.255.3 and who will fail in internet routing is.  If these servers access the internet through the firewall, I would recommend a configuration like this for each of your servers:

  network of the ServerA_NAT object

  Home 10.2.255.1

  NAT static ServerA ServerA_NAT destination (indoor, outdoor) static source REMOTE_SUBNET REMOTE_SUBNET

  This will use destination basic NAT for traffic VPN and NAT everything to a public IP address for the internet traffic.  Of course, if this is not your internet connection firewall can do abstraction.