Cisco ASA 5505 IPSEC VPN cannot see hosts on remote LAN

Using the GUI, I followed the steps to configure the VPN. It resulted in the following "show run", modified of course.

Having done this before, I am befuddled why I cannot map drives, or ping or connect in anyway to the hosts behind the firewall in the LAN. Seems to work elsewhere so can someone see if I am brain-dead on this config somewhere?

ASA Version 8.2(5)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name myco.local
access-list XXXVPNgroup_splitTunnelAcl standard permit
access-list inside_nat0_outbound extended permit ip any
access-list inside_access_in extended permit tcp any eq telnet
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNRange mask
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
access-group outside_access_in in interface outside
route outside 128
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet inside
telnet timeout 30
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd lease 86400 interface inside
dhcpd domain prinet.local interface inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy XXXVPNgroup internal
group-policy XXXVPNgroup attributes
wins-server value
dns-server value
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXXVPNgroup_splitTunnelAcl
default-domain value prinet.local
username ben password X encrypted privilege 0
username ben attributes
vpn-group-policy XXXVPNgroup
tunnel-group XXXVPNgroup type remote-access
tunnel-group XXXVPNgroup general-attributes
address-pool VPNRange
default-group-policy XXXVPNgroup
tunnel-group XXXVPNgroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Removing all the crypto commands makes it a bit difficult to troubleshoot an issue where the crypto commands are the core of the configuration. From what I see, I would suggest not using the local pool you have setup because it overlaps with your inside interface. I would also suggest not using a local pool which may overlap with commonly used consumer routers such as or You could go with something like or The nat exemptions will need to be updated to reflect this as well. If you have routers behind this ASA you might need to add a route to them, but this might not apply to you.
garyohAuthor Commented:
Thanks for the response. I don't have any routers behind the firewall whatsoever. I do have one access point which is drawing it's address range from the Windows DHCP server but that is all.

As to the overlap, I've tried this with only one DHCP client thus far and I have exempted 210-219 on the DHCP server internally so as to not conflict with any machines already on the network internally.

But let me double-check the internal machines, I know we had a problem with one internal machine so we'd set it to static addressing. Be right back.
If you have no routers behind the ASA, then I would assume that all devices use the ASA as a default gateway. In this case, there is no need to worry about routing behind the ASA. You would only need to be concerned with the ASA configuration itself.
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

garyohAuthor Commented:
Boy, do I feel silly. I did put the very first IP as the exact same one applied to that machine, the So I have an ip conflict and there is the answer.

Sometimes its the simple things. THanks for your help.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
garyohAuthor Commented:
I'll try and reply back today/tonight.
garyohAuthor Commented:
This got me pointed in the right direction.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.