ASA 5505 VPN/Routing setup

Posted on 2011-03-14
Medium Priority
Last Modified: 2012-05-11
Attached is a quickly thrown together Visio Diagram of my Network/Lab environment I am trying to setup.

What I can do-

Connect to the VPN and get a address with subnet mask of

What I want to do-

Connect to VPN and be able to connect to the subnet via the Router address (Connected to a switch that would allow access to other hardware on the 10. subnet

What I don't know-

Can I have and inside address space of 10.10.10.x and have VPN users assigned a part of that space and still route to the router from the ASA?

Should I have the VPN subnet be different from the network and route the VPN subnet to the 10.?

I am new to the ASA and routing/vpn to begin with but I am not a total moron.

My Running Config:
ciscoasa# show run
: Saved
ASA Version 8.2(4)
hostname ciscoasa
enable password 01CutRdzkZafqWMy encrypted
passwd 01CutRdzkZafqWMy encrypted
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.x.x.66
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list nonat extended permit ip host
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vtcpool
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1
route outside 65.x.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vtctransform esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vtcdynam 1 set transform-set vtctransform
crypto dynamic-map vtcdynam 1 set reverse-route
crypto map vtcmap 1 ipsec-isakmp dynamic vtcdynam
crypto map vtcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh 65.x.x.0 outside
ssh 65.x.x.2 outside
ssh 173.x.x.77 outside
ssh 98.x.x.210 outside
ssh 69.x.x.214 outside
ssh 98.x.x.30 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username Mike password mf8ElptroezNx3bK encrypted
username Jonathan password UM/CkdFwlaWoMPMZ encrypted
username Steve password 4gTDvFtw2Ug04PWk encrypted
username Lawrence password UqxtX.iTNtwfRyZn encrypted
tunnel-group vtctunnelgroup type remote-access
tunnel-group vtctunnelgroup general-attributes
 address-pool vtcpool
tunnel-group vtctunnelgroup ipsec-attributes
 pre-shared-key *****
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end

Question by:agruber85
  • 9
  • 4
LVL 33

Expert Comment

ID: 35133272
I don't think the diagram matches the config.    Your ASA inside interface is on a 192.168. subnet.   This is not reflected in the Visio.  

If your network looks like the VISIO, then this placement would work ok.    

If your network looks like the ASA config above, this will not work since any traffic in the ASA that matches the ip local pool pattern would not get routed, but encapsulated for the tunnel.  

I always try to make the ip local pools different than internal subnets for my own sanity...  others might debate me on that.   Usually, there is no harm in reusing IPs from a connected interface as part of the local pool .

Assisted Solution

gavving earned 2000 total points
ID: 35133353
It's always a good idea to specify the netmask when allocating your local pools.  

ip local pool vtcpool mask

I'm not sure if you can add the mask to an existing pool, or if you'll have to delete it and readd it.  If you delete it make sure you put it back in your tunnel-group.  

Yes you can allocate VPN users into the same IP block as the internal network interface.   Just make sure not to duplicate IPs with something else on your network.

Author Comment

ID: 35133896

You are correct ! Lets change the VPN ip address scheme to and using "mask" allowed me to put a subnet mask of

Now how do I route the VPN users to
Route inside, tells me the route already exists.

I also took out..
Access-list nonat extended permit ip host and can still connect to the VPN.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 35133924
Actually I need to change that entirely. Hold on for a min and I will change the ASA inside address to the 10. subet as well as the vpn group.

How do I turn off the inside DHCP? The asa guide code doesn't work.

Assisted Solution

gavving earned 2000 total points
ID: 35134074
no dhcpd address inside
no dhcpd enable inside
no dhcpd auto_config outside


Author Comment

ID: 35134129
no dhcpd address inside did the trick.

Back to working on the vpn setup... i will post the running config when im done.


Author Comment

ID: 35134305

Question, what is the best way to connect my VPN group to the network running on the 2900?

My thought was to make the VPN users part of that subnet and route them to the gateway. What I don't understand is how do I route the VPN group to the 2900 router?

Do I even need to configure the inside interface IP address?

Assisted Solution

gavving earned 2000 total points
ID: 35134318
Assuming that your 2900 is on the same LAN that your inside interface is connected to, then yes you want your inside interface to be on the network.  Pick an available number and configure your inside interface on that IP network.  

If the ASA is going to function as the Internet firewall for the network, then you'll want your default gateway on the network to be the inside IP of the ASA.  

Author Comment

ID: 35134355
So make Vlan 2 on the ASA
Make the 2900 (instead of
My VPN group IP

Do I then make my Ethernet int 0/2 switchport access vlan 2? (0/0 being outside, 0/1 being inside, and 0/2 being the link to the 2900)?

Author Comment

ID: 35134374
substitute vlan 1 for vlan 2 ( 1 is inside and 2 is outside)

Accepted Solution

gavving earned 2000 total points
ID: 35134391
I'm not completely sure what the end goal here is.  Do you need to have  If not then make vlan1, and move the 2900 to  We could configure a vlan2 and put it on there, but unless you have the Security Plus license you can't get full communications between all 3 vlans.  

Author Comment

ID: 35134511
Right now am using over 10 external IP's by natting out my voice lab.

I want to setup VPN on the ASA and put it in place to access the 10. subnet by either routing all data through the 2900 or by connecting the asa to the switch with all of the 10. hardware.

my asa is now (inside)
the 2900 is
The vpn group is still .10-.15

The asa port 0/2 is hooked up to a switch which has my voice gear attached. Each lab component is running the high end 10.

so hopefully the asa can route my vpn users to the switch so I can access all of the voice hardware.

Author Comment

ID: 35134649
I can establish a VPN connection and ping the ASA Gateway ( But I cannot ping or connect to any other 10.10.10.X ip address (AKA my Lab Gear).

My link to the other hardware at the moment is a cisco switch. The ASA Ethernet port 0/2 is directly connected to the switch along with all the lab gear.


Author Comment

ID: 35134799
Good news! I added this with my ip scheme of course, not sure if it is needed but im able to connect and browse to my lab gear.

ip local pool vpnippool mask
access-list inside_nat0_outbound permit ip any
crypto isakmp nat-traversal
nat (inside) 0 access-list inside_nat0_outbound
group-policy GroupPolicy attributes
 address-pools value vpnippool

Thanks for the help, I was a mess and you lead me to my end goal.

Off to split tunneling now. Hope that is easier.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question