The Laptops (Windows 7 and XP) are connecting to our LAN/WAN using the Cisco AnyConnect VPN Client (ver. 2.5.2019).  They are assigned a IP (192.168.24.x) which is not an IP in our LAN/WAN (we own 4 class C IP ranges and have two subnetted for for remote locations and two for our HQ LAN.  All remote and HQ locations use HQ LAN for outbound internet traffic).

The VNC client is RealVNC Enterprise Edition E4.6.1.

Yes, there should be no problem to connect back to remote clients over their internal IP.

You just need to make sure that this traffic is allowed by ACLs (either ones assigned to interfaces and/or the ones assigned to users via vpn-filter or downloadable ACLs) and of course making sure windows firewall allows this connection.

An interesting problem is "how do I always assign same IP address to same user?" if it's needed. And you can do it via RADIUS or local attributes.

HTH,

Marcin

Where will this ACL be located?  In the Firewall Access Rules section?  I don't see the VPN as one of the "Interfaces".  There are just the DMZ, Inside, Outside and Management interfaces.  Or is the VPN under the DMZ interface?

To be honest I'm not used to ASDM so I can tell you what to check from telnet/SSH via CLI:

- show run access-group (yes it will show you which ACL is attached to which interface)

- show uauth

For the items I mentioned above.

In access of access-group ACLs you need to make sure that inbound traffic twoards the VPN hosts is allowed.

The rest is in your NAT config ;-)

Marcin