You are right to use a Remote Access VPN...I also presented a solution with Remote Access VPN with a Jump Server e.g., A remote User session will be land on jump server in one of the server in DMZ and then RDP to the intended server.... Here, i am wondering that how can we stop this user from being going forward? That Server will have access to internal network. How can we stop the user if he do any malicious activity? Any network based solution...
Well I would argue that if you distrust the remote user so much that you should seriously reconsider letting them work on equipment on your network at all.. Actually in that case, "watching" them during a remote desktop sharing session is actually a more secure solution as you can validate the actions they are taken are limited to those necessary to perform the tasks at hand. When I have had to work on systems in environments that were required to be secure to meet regulatory requirements, I was required to provide a step-by-step list of activities before hand and my performance of only those activities and verification of the expected outcome was done by staff of the client I was supporting.
If you want a purely network-based solution then put a temporary access list on the server's default gateway for the period during which the remote maintenance is ongoing allowing it to communicate only to/from the remote access VPN gateway.
A more sustainable setup would be to host the server in a DMZ on a private VLAN with an access list (or default setting) on the DMZ interface of the firewall that prohibits the server from initiating communication to the inside network.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...