Cisco ASA 5505 IPSEC VPN cannot see hosts on remote LAN

Using the GUI, I followed the steps to configure the VPN. It resulted in the following "show run", modified of course.

Having done this before, I am befuddled why I cannot map drives, or ping or connect in anyway to the hosts behind the firewall in the LAN. Seems to work elsewhere so can someone see if I am brain-dead on this config somewhere?

ASA Version 8.2(5)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name myco.local
access-list XXXVPNgroup_splitTunnelAcl standard permit
access-list inside_nat0_outbound extended permit ip any
access-list inside_access_in extended permit tcp any eq telnet
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNRange mask
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
access-group outside_access_in in interface outside
route outside 128
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet inside
telnet timeout 30
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd lease 86400 interface inside
dhcpd domain prinet.local interface inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy XXXVPNgroup internal
group-policy XXXVPNgroup attributes
wins-server value
dns-server value
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXXVPNgroup_splitTunnelAcl
default-domain value prinet.local
username ben password X encrypted privilege 0
username ben attributes
vpn-group-policy XXXVPNgroup
tunnel-group XXXVPNgroup type remote-access
tunnel-group XXXVPNgroup general-attributes
address-pool VPNRange
default-group-policy XXXVPNgroup
tunnel-group XXXVPNgroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
Who is Participating?
garyohConnect With a Mentor Author Commented:
Boy, do I feel silly. I did put the very first IP as the exact same one applied to that machine, the So I have an ip conflict and there is the answer.

Sometimes its the simple things. THanks for your help.
Removing all the crypto commands makes it a bit difficult to troubleshoot an issue where the crypto commands are the core of the configuration. From what I see, I would suggest not using the local pool you have setup because it overlaps with your inside interface. I would also suggest not using a local pool which may overlap with commonly used consumer routers such as or You could go with something like or The nat exemptions will need to be updated to reflect this as well. If you have routers behind this ASA you might need to add a route to them, but this might not apply to you.
garyohAuthor Commented:
Thanks for the response. I don't have any routers behind the firewall whatsoever. I do have one access point which is drawing it's address range from the Windows DHCP server but that is all.

As to the overlap, I've tried this with only one DHCP client thus far and I have exempted 210-219 on the DHCP server internally so as to not conflict with any machines already on the network internally.

But let me double-check the internal machines, I know we had a problem with one internal machine so we'd set it to static addressing. Be right back.
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

If you have no routers behind the ASA, then I would assume that all devices use the ASA as a default gateway. In this case, there is no need to worry about routing behind the ASA. You would only need to be concerned with the ASA configuration itself.
garyohAuthor Commented:
I'll try and reply back today/tonight.
garyohAuthor Commented:
This got me pointed in the right direction.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.