firewall feature set or i should say cbac works by inspecting outbound traffic usually. in other words, cbac inspects the traffic originated from inside to outside and makes sure that the return traffic is permitted to get inside the network.
for any inbound access, inbound acl is required, such as permitting the rdp session from the internet.
e.g.
access-list 111 permit tcp host host eq 3389
further for remote vpn, these protocols/ports need to be permitted:
udp 500
udp 4500
esp
as well as the remote private subnet, including the peer private network and vpn client pool if configured.
e.g.
access-list 111 permit ip
access-list 111 permit ip