I would pick up a cheap Cisco router/ASA/pix device and set it up with port forwarding/DMZ on the ATT router so all packets going to your public IP that aren't receiving traffic for connections like your wife, go to the router/ASA/pix. Then I would configure it as a remote VPN termination point.
An ASA5505 will probably set you back $200. But you might be able to find an 1800/2800 series router to work with for less. If you get an ISR like those, make sure it has the security IOS or you have a way to get the security or better IOS on it.
As you most likely have a dynamic public address, I would use something like no-ip.com or another dynamic DNS service to have a domain that points to your public IP and updates when it changes. This might be configurable on the ATT router or you may need to run software on a computer in the network.
This would allow secure access to your private network. Once on the VPN, you could connect to your lab equipment via SSH/HTTP/Console depending on how you setup the internal side.
EDIT: If you're already doing port forwarding/DMZ to your company router, then you would need to ask them to allow you to have a VPN termination point on it for your private network.
The "outside" vlan seems to be misconfigured, and I've tried so many permeations, that I am sure I am overlooking something major, and obvious. When I am able to ping 8.8.8.8, from the ASA, I'll be happy!
Basic Config
As others have mentioned, your configuration is "suboptimal"... the biggest problem you have is that you're not using DHCP on the outside Vlan interface the biggest problem is that your default gw address is assigned to Vlan2... to recover, login to the console and...
copy runn flash:foobar.cfg
config t
configure factory-default 10.1.10.100 255.255.255.0
While you're in config mode, use this configuration...
hostname DTS-ASA
password ChangeMeNow
enable password ChangeMeNow
!
interface Ethernet0/0
switchport access vlan 2
!
interface Vlan2
! I don't think you need this, since it's an SMC MAC addr
! However, this illustrates how you can manually change the mac
! on your outside Vlan, if Comcast is restricting you
! to one mac (and now refuses to change it)
! mac-address 78cd.8ed9.fb37
nameif outside
security-level 0
ip address 74.xx.xx.225 255.255.255.248
!
route outside 0.0.0.0 0.0.0.0 74.xx.xx.230
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
end
wr mem
Please change the password :-)... now you need fw rules, but that's a different issue
WAN Validation
Make sure you really do have the Comcast modem attached to Eth0/0... After you're up and running, you should be able to check the address you got from Comcast like this...
DTS-ASA# sh int vlan2
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 0030.dead.beef, MTU 1500
IP address 74.xx.xx.225, subnet mask 255.255.255.248 <------------
Traffic Statistics for "outside":
108703406 packets input, 119199091796 bytes
69134254 packets output, 8083775282 bytes
1654709 packets dropped
1 minute input rate 2 pkts/sec, 280 bytes/sec
1 minute output rate 3 pkts/sec, 414 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 3 pkts/sec, 716 bytes/sec
5 minute output rate 4 pkts/sec, 520 bytes/sec
5 minute drop rate, 0 pkts/sec
DTS-ASA#
Then check your ping to google's DNS...
DTS-ASA# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms
DTS-ASA#
If not, be sure you can ping your default-gw...
DTS-ASA# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 74.xx.xx.230 to network 0.0.0.0
C 74.xx.xx.230 255.255.255.248 is directly connected, outside
C 10.1.10.0 255.255.255.0 is directly connected, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 74.xx.xx.230, outside <------
DTS-ASA#
DTS-ASA# ping 74.xx.xx.230
Best Answer
What you're overlooking is that your PC still has the default gateway of the cable modem and not R1. So all packets being sent to a subnet that isn't within that PC's LAN get sent to the cable modem which has no idea how to get to 192.168.254.0/24.
So you have two options if you want to also keep your internet access (thus, not change your default gateway):