ASA 5505 VPN/Routing setup

Attached is a quickly thrown together Visio Diagram of my Network/Lab environment I am trying to setup.

What I can do-

Connect to the VPN and get a address with subnet mask of

What I want to do-

Connect to VPN and be able to connect to the subnet via the Router address (Connected to a switch that would allow access to other hardware on the 10. subnet

What I don't know-

Can I have and inside address space of 10.10.10.x and have VPN users assigned a part of that space and still route to the router from the ASA?

Should I have the VPN subnet be different from the network and route the VPN subnet to the 10.?

I am new to the ASA and routing/vpn to begin with but I am not a total moron.

My Running Config:
ciscoasa# show run
: Saved
ASA Version 8.2(4)
hostname ciscoasa
enable password 01CutRdzkZafqWMy encrypted
passwd 01CutRdzkZafqWMy encrypted
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.x.x.66
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list nonat extended permit ip host
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1
route outside 65.x.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vtctransform esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vtcdynam 1 set transform-set vtctransform
crypto dynamic-map vtcdynam 1 set reverse-route
crypto map vtcmap 1 ipsec-isakmp dynamic vtcdynam
crypto map vtcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh 65.x.x.0 outside
ssh 65.x.x.2 outside
ssh 173.x.x.77 outside
ssh 98.x.x.210 outside
ssh 69.x.x.214 outside
ssh 98.x.x.30 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username Mike password mf8ElptroezNx3bK encrypted
username Jonathan password UM/CkdFwlaWoMPMZ encrypted
username Steve password 4gTDvFtw2Ug04PWk encrypted
username Lawrence password UqxtX.iTNtwfRyZn encrypted
tunnel-group vtctunnelgroup type remote-access
tunnel-group vtctunnelgroup general-attributes
 address-pool vtcpool
tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
 profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end

Who is Participating?
gavvingConnect With a Mentor Commented:
I'm not completely sure what the end goal here is.  Do you need to have  If not then make vlan1, and move the 2900 to  We could configure a vlan2 and put it on there, but unless you have the Security Plus license you can't get full communications between all 3 vlans.  
I don't think the diagram matches the config.    Your ASA inside interface is on a 192.168. subnet.   This is not reflected in the Visio.  

If your network looks like the VISIO, then this placement would work ok.    

If your network looks like the ASA config above, this will not work since any traffic in the ASA that matches the ip local pool pattern would not get routed, but encapsulated for the tunnel.  

I always try to make the ip local pools different than internal subnets for my own sanity...  others might debate me on that.   Usually, there is no harm in reusing IPs from a connected interface as part of the local pool .
gavvingConnect With a Mentor Commented:
It's always a good idea to specify the netmask when allocating your local pools.  

ip local pool vtcpool mask

I'm not sure if you can add the mask to an existing pool, or if you'll have to delete it and readd it.  If you delete it make sure you put it back in your tunnel-group.  

Yes you can allocate VPN users into the same IP block as the internal network interface.   Just make sure not to duplicate IPs with something else on your network.
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

agruber85Author Commented:

You are correct ! Lets change the VPN ip address scheme to and using "mask" allowed me to put a subnet mask of

Now how do I route the VPN users to
Route inside, tells me the route already exists.

I also took out..
Access-list nonat extended permit ip host and can still connect to the VPN.
agruber85Author Commented:
Actually I need to change that entirely. Hold on for a min and I will change the ASA inside address to the 10. subet as well as the vpn group.

How do I turn off the inside DHCP? The asa guide code doesn't work.
gavvingConnect With a Mentor Commented:
no dhcpd address inside
no dhcpd enable inside
no dhcpd auto_config outside

agruber85Author Commented:
no dhcpd address inside did the trick.

Back to working on the vpn setup... i will post the running config when im done.

agruber85Author Commented:

Question, what is the best way to connect my VPN group to the network running on the 2900?

My thought was to make the VPN users part of that subnet and route them to the gateway. What I don't understand is how do I route the VPN group to the 2900 router?

Do I even need to configure the inside interface IP address?
gavvingConnect With a Mentor Commented:
Assuming that your 2900 is on the same LAN that your inside interface is connected to, then yes you want your inside interface to be on the network.  Pick an available number and configure your inside interface on that IP network.  

If the ASA is going to function as the Internet firewall for the network, then you'll want your default gateway on the network to be the inside IP of the ASA.  
agruber85Author Commented:
So make Vlan 2 on the ASA
Make the 2900 (instead of
My VPN group IP

Do I then make my Ethernet int 0/2 switchport access vlan 2? (0/0 being outside, 0/1 being inside, and 0/2 being the link to the 2900)?
agruber85Author Commented:
substitute vlan 1 for vlan 2 ( 1 is inside and 2 is outside)
agruber85Author Commented:
Right now am using over 10 external IP's by natting out my voice lab.

I want to setup VPN on the ASA and put it in place to access the 10. subnet by either routing all data through the 2900 or by connecting the asa to the switch with all of the 10. hardware.

my asa is now (inside)
the 2900 is
The vpn group is still .10-.15

The asa port 0/2 is hooked up to a switch which has my voice gear attached. Each lab component is running the high end 10.

so hopefully the asa can route my vpn users to the switch so I can access all of the voice hardware.
agruber85Author Commented:
I can establish a VPN connection and ping the ASA Gateway ( But I cannot ping or connect to any other 10.10.10.X ip address (AKA my Lab Gear).

My link to the other hardware at the moment is a cisco switch. The ASA Ethernet port 0/2 is directly connected to the switch along with all the lab gear.

agruber85Author Commented:
Good news! I added this with my ip scheme of course, not sure if it is needed but im able to connect and browse to my lab gear.

ip local pool vpnippool mask
access-list inside_nat0_outbound permit ip any
crypto isakmp nat-traversal
nat (inside) 0 access-list inside_nat0_outbound
group-policy GroupPolicy attributes
 address-pools value vpnippool

Thanks for the help, I was a mess and you lead me to my end goal.

Off to split tunneling now. Hope that is easier.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.