I have an ASA 5525-x with a Site-to-Site VPN to AT&T. We have remote hotspot users coming through the VPN tunnel to this ASA to our location. Since they are assigned RFC1918 addresses, they get routed through our internal network in order to get outside through our firewall (which provides NATting). This may seem like an odd configuration, but these users used to get forced through a context filtering device which used to be on our network. It no longer is, but there is great resistance in the organization to changing this setup.

We also have an ASA 5520 which is serving as our remote access VPN for our non-hotspot users. Since that device is past end-of-life, I am trying to move it's configuration to another device. The only other logical place, without buying additional hardware, is the ASA 5525-x. I've got the 5520 config merged into the 5525-x config, but there are many issues.

Does anyone have an example config similar to this situation? I was starting to research multiple security contexts, but it looks like that doesn't allow for remote-access VPN. I'm just not sure how to handle the default gateway. For hotspot users, I need it pointing internally, so the traffic goes outside through the NAT. For remote-access VPN users, I need it pointing directly to the gateway router, not going through NAT.