Here's what I get when I show run access-list:

access-list outside_access_in extended permit tcp any eq 3389 any
access-list outside_access_in_1 extended deny ip 81.129.179.0 255.255.255.0 any
access-list outside_access_in_1 extended permit tcp any host 66.128.51.78 eq https
access-list outside_access_in_1 extended permit tcp any host 66.128.51.78 eq www
access-list outside_access_in_1 extended permit tcp any host 66.128.51.78 eq 3389
access-list Block extended deny ip 81.129.179.0 255.255.255.0 any
access-list Block extended deny tcp host 81.129.179.245 any eq ssh
access-list inside_nat0_outbound extended permit ip any 192.168.200.0 255.255.255.0
access-list Split_tunnel remark Local Lan COLO
access-list Split_tunnel standard permit 192.168.200.0 255.255.255.0
access-list inside_access_in extended permit ip any any

192.168.200.1 is the ip of my internal interface.

The ASA can ping ip's from the outside interface

Now,

For traffic to go to the internet through the ASA besides being permitted on the inside interface, it should have a NAT rule.

For example.

I want to allow network 10.0.0.0/24 to get out to the Internet through the ASA, this is what I need:

1. An ACL permitting this traffic applied to the inside interface in the inbound direction:

access-list inside permit ip 10.0.0.0 255.255.255.0 any

2. The ACL must be applied correctly:

access-group inside in interface inside

3. There should be a NAT rule:

nat (inside) 1 10.0.0.0 255.255.255.0

global (outside) 1 interface

You can use the packet tracer utility to emulate the connection and see what is reported by the ASA:

packet-tracer input tcp 10.0.0.1 1024 4.2.2.2 80 det

The above command, will allow the ASA to report if a connection from 10.0.0.1 to 4.2.2.2 (Internet) on TCP port 80 would be permitted to flow through it or not.

Hope it helps.

Federico.

OK, now the test shows the packets go through to the outside, but before these last few config changes I could do the AnyConnect and remote on to one of the clients, even though they couldn't get on the internet. Now I'm going in through the AnyConnect to do an RDP and it's telling me it can't connect to the remote computer. Is there something else I need to to in the acces rule or NAT to make the remote desktop work?

You mean there's internet access now working from inside the ASA?

To be able to connect via AnyConnect to an external client you are required to allow TCP 443 on the same ACL.

Include:

access-list inside permit tcp 10.0.0.0 255.255.255.0 any eq 443

The above line should allow any computer on the local LAN (10.0.0.0/24) to connect to any remote AnyConnect server.

Federico.

Maybe I didn't make it completely clear. Before I made the changes you suggested to get the internet working on the client computers, I hade updated the ASA, ASDM & anyconnect. I can connect via ASDM, any the anyconnect has been working. Prior to the changes I just made, I could connect via the anyconnect and remote onto a client machine via name or ip. Now after these changes, I can still connect via the anyconnect, but when I try the remote desktop connection, it tells me I can't connect. I was going to remote onto one to check the internet via the browser.

Scott,

I don't see how trying to give the internal users internet access will break the AnyConnect access in.

Obviously it was something we did while trying to fix this with the commands I gave you, so... why don't you share the running-config and we'll take a look at it.

I imagine that if you revert the changes I gave you, then you're able to access via RD the machine using AnyConnect, correct?

Federico.

here is my running config attached. I'm going revert and test the remote onto one of the desktops.

While doing this let me know the IP address of the internal machine you're trying to RD to and if you can PING it while connected via AnyConnect.

If not, add this line:

access-list inside permit ip any any

And try again.

Federico.

With the attached running config I can anyconnect and rd onto a client but the client cannot access the internet. I can ping the client when I'm connected via anyconnect as well.

To give Internet access to the 192.168.200.0/24 network you need to add this line:

nat (inside) 1 192.168.200.0 255.255.255.0

Federico.

that looks like it got it!!

I'm glad that it worked :-)

Please rate helpful posts!

Federico.

Ok I spoke too soon. Yes, I was already RD on to a client and when I added the NAT rule it let me on the internet. But, when I closed out of everything and tried to anyconnect and then the rd, the rd didn't work.