Hmm.. I did not think about another interface. Would that be a best choice? Seems like more work but then again, I could get away with this direction without changing any other interface (and the potential of network connectivity issues)

I think it is a nice and simple method of handling the situation, and is likely to cause the least disruption.

Ok. Thanks.  I am still a bit weak when it comes to all of the Cisco commands. Can you provide me with a link into how I go about setting up a new interface without disrupting my active network? That would be great if possible.

Well, just choose a free interface and assign a static IP address equal to whatever their current default gateway is.

interface Gigabit x/y
  nameif <company-inside>
  security-level 100
  ip address 192.168.100.x 255.255.255.0
  no shutdown

You may need some extra NAT rules as well.

I have interface Ethernet0/2 that is not used (it is currently named DMZ).

So if I drop the following into a putty (SSH), would that create the necessary interface?

interface Ethernet0/2
 nameif inside-LS
 security-level 100
 ip address 192.168.100.1 255.255.255.0 
 ospf cost 10

As far as NAT rules, looking at my current ones, the rules would just need to mention the correct interface, so something like this

 nat (inside-ls,outside) static x.x.x.x service tcp 3389 3395

And the access-list being as.

access-list outside_access_in extended permit tcp any4 host 192.168.100.2 eq https

Yes that interface config is fine.

You would only need that NAT rule if you wanted to allow something inbound, but yes, you haver the idea.

The separate interface makes things easy.

Awesome. Thanks for all of your help

An additional question. Once I have the second interface up and running, how do I setup VPN to use both LDAPs? Since both networks clients are using Windows native VPN, I cannot rely on different group policies. I added another server to the AAA Server Group, but that does not seem to be working for authentication. I need to have both Active Directories available for authentication as well as DHCP/DNS configurations both available to Windows native clients.

Yucky.  Windows native VPN.  By this I assume you mean L2TP over IPSec, and it is terminating on the ASA.

You can't.  You can only use one VPN and give users access to both networks.  You would need to create a trust relationship between the two AD's, and try and do it that way.

What you really need to do is get some Cisco AnyConnect licences and change over.

Yeah. I just like using the native solution as it does not require the installation of software. But I expected this was going to be a limitation. To get around this for this particular need, those machines will use Shrew, which I later found out they use anyways. So win-win. :)

Philip,

I configured the spare Ethernet Port and opened a few ports. I know that part is up and running correctly. The servers (virtualized) are able to get outbound connectivity and are all running on the 192.168.100.x IP range.  Servers within that range is able to ping each other.  However, once I establish a VPN connection, I can not ping any of these servers. I am guessing there is a Access Rule that might need to be added, since VPN is coming across the same outside interface as our normal 192.168.0.x?  I have a VPN profile that specifies the DNS suffix, uses AD authenication and points to the DNS servers on that network.  I created the address pool for the 192.168.100.x IP range. When connected, the VPN client is receiving the correct IP range, DNS, DNS suffix and receiving the correct Address Pool IP address (in this case a 192.168.100.200 IP address)

Assuming I am even in the right place, the Outside incoming rule has 192.168.0.0/16 as the first rule. Do I need to change this to support the 192.168.100.x or just add a second rule for that range? Or am I even on the right page? :)

Could you post your config?

It is most likely to be NAT or access rules.

Can I PM you the file instead?