Hi Sheraz, thank you for replying. I am certainly no expert on ASAs and have only used the ASDM packet tracer which would not help in this case. It seems to be related to packet sizes and some web sites work fine and others do not. Here is the config:

: Saved
:
: Serial Number: JMX194940VM
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
: Written by asa5505 at 18:56:39.269 GMT/BST Tue Mar 10 2020
!
ASA Version 9.2(4)
!
hostname asa5505
domain-name sharpandbentley.com
enable password OTAqb7PdAwRlIHVq encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
name 89.206.205.193 gateway
name 89.206.205.195 asa5505_public
name 192.168.10.254 asa5505_inside
ip local pool SSLVPN_POOL 192.168.20.1-192.168.20.20 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address asa5505_inside 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group BT
ip address pppoe setroute
!
boot system disk0:/asa924-k8.bin
boot system disk0:/asa917-29-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name sharpandbentley.com
object network NETWORK_OBJ_192.168.20.0_27
subnet 192.168.20.0 255.255.255.224
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network Penrith_inside
range 192.168.1.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 192.168.10.0 255.255.255.0 object Penrith_inside
pager lines 24
logging enable
logging asdm informational
mtu inside 1452
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static Penrith_inside Penrith_inside no-proxy-arp
!
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 444
http 192.168.10.0 255.255.255.0 inside
http 217.169.28.120 255.255.255.255 outside
http 80.168.79.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set AES128SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map PENRITH 1 match address outside_cryptomap_3
crypto dynamic-map PENRITH 1 set ikev1 transform-set AES128SHA
crypto dynamic-map PENRITH 1 set security-association lifetime kilobytes unlimited
crypto map outside_map13 1 ipsec-isakmp dynamic PENRITH
crypto map outside_map13 interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn vpn.sharpandbentley.com
subject-name CN=vpn.sharpandbentley.com,O=Sharp & Bentley,C=GB
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 63cca72055cfbc3ee4992ea9
30820677 3082055f a0030201 02020c63 cca72055 cfbc3ee4 992ea930 0d06092a
864886f7 0d01010b 05003050 310b3009 06035504 06130242 45311930 17060355
040a1310 476c6f62 616c5369 676e206e 762d7361 31263024 06035504 03131d47
6c6f6261 6c536967 6e205253 41204456 2053534c 20434120 32303138 301e170d
32303033 30363133 35393139 5a170d32 32303330 37313335 3931395a 3052310b
30090603 55040613 02474231 21301f06 0355040b 1318446f 6d61696e 20436f6e
74726f6c 2056616c 69646174 65643120 301e0603 55040313 1776706e 2e736861
7270616e 6462656e 746c6579 2e636f6d 30820122 300d0609 2a864886 f70d0101
01050003 82010f00 3082010a 02820101 00b4cd61 022305b4 55ef4ce6 5f5f6cbb
d66cc5ad 08b370c4 f5c78657 86fdc19f f4c92712 327c4a2e ef62ca2b dbc18a67
f3569f16 01bbd451 f65e00db 69c3d944 793c08d3 65bfa3c1 6e4feef0 f7850aef
d2a77a57 a063cdd1 cedd8827 8e261bd7 78386c57 fd644af4 c8f9e54a 73151014
b6477d79 3cd9f304 64e82614 6cbba474 22b6b57e 11b4ce01 cbaf21ff 9a224705
aed5e7e3 3a213b01 51fc265d c63c7c9c d5a90a4d 58805f27 c8eec063 80367410
f24e71c4 9024d435 8f4637b0 3bd8935e 331e8a0e 3792ceef 16f09131 6aaf35f9
507b0c54 4cbce165 fe139f3e 50928957 997b7256 d8f15b1b bc5b9883 ae74987e
e56763ae a19c51d4 e7980caa 70357e47 89020301 0001a382 034d3082 0349300e
0603551d 0f0101ff 04040302 05a03081 8e06082b 06010505 07010104 8181307f
30440608 2b060105 05073002 86386874 74703a2f 2f736563 7572652e 676c6f62
616c7369 676e2e63 6f6d2f63 61636572 742f6773 72736164 7673736c 63613230
31382e63 72743037 06082b06 01050507 3001862b 68747470 3a2f2f6f 6373702e
676c6f62 616c7369 676e2e63 6f6d2f67 73727361 64767373 6c636132 30313830
56060355 1d20044f 304d3041 06092b06 010401a0 32010a30 34303206 082b0601
05050702 01162668 74747073 3a2f2f77 77772e67 6c6f6261 6c736967 6e2e636f
6d2f7265 706f7369 746f7279 2f300806 0667810c 01020130 09060355 1d130402
3000303f 0603551d 1f043830 363034a0 32a03086 2e687474 703a2f2f 63726c2e
676c6f62 616c7369 676e2e63 6f6d2f67 73727361 64767373 6c636132 3031382e
63726c30 22060355 1d11041b 30198217 76706e2e 73686172 70616e64 62656e74
6c65792e 636f6d30 1d060355 1d250416 30140608 2b060105 05070301 06082b06
01050507 0302301f 0603551d 23041830 16801481 80d62879 354a5b79 3589398f
12176e11 7b2c1130 1d060355 1d0e0416 0414d322 34a4069c 4bc11909 3e81ddab
3ca280dc 12e03082 017d060a 2b060104 01d67902 04020482 016d0482 01690167
007600bb d9dfbc1f 8a71b593 942397aa 927b4738 57950aab 52e81a90 9664368e
1ed18500 000170b0 24ba7700 00040300 47304502 200f433f 770d322b 770b9a56
ff139a3b 69ff42b3 a9213cbc e9b0d80c 6aede70c 92022100 9a0ba7b7 f437e7eb
d912686b 411e3a8e 88e582a7 275d3582 91a9ce3e 2eaa54b7 0075006f 5376ac31
f03119d8 9900a451 15ff7715 1c11d902 c1002906 8db2089a 37d91300 000170b0
24bab800 00040300 46304402 207a4ffd 8609b83f 9109f253 83c7541f 77d9fd8d
235650b8 884ad4df 9721d516 c3022009 245b6043 62edab64 931eee55 fa9f8942
7f5b3dd0 a01e031a 554070b0 b686fa00 76005581 d4c21690 36014aea 0b9b573c
53f0c0e4 38787025 08172fa3 aa1d0713 d30c0000 0170b024 ba930000 04030047
30450220 6b79a63d 0fd5d179 0d2087b7 9d05fee3 2fb6250e 10193634 74a9a6ce
2019a13b 022100e7 0a89dfb3 ee454589 c45c07c0 69614f7b 31ff694a e37709eb
9ae16cbd f0bf4530 0d06092a 864886f7 0d01010b 05000382 0101003c 6a09ca56
f7810748 88acf70e 24c458b9 41bcf22a 37ec9328 77ff94fa ff6d6643 2f733d7a
2f1fea60 66e533de c9bd02d9 906ba5eb 2d9c2f1a 8427b7d4 c95e93ee d5a2bb0c
40db73ec 28668f50 4e6f6576 0e15886e ba0519db 6eb8b0b0 8883f54d 1ffd00dd
76fbc79e b5ef77eb 9281b7d7 bae5704c 1a222818 673deed9 a7ae3b02 d0f6ac88
6f7aef9e ebdf45ea 9dcaaa85 e7939b6c 6874ae51 b5c5cd91 9b1c7b24 558d8769
c05adb5a 39752e01 96185e30 866eb9e0 66973fb3 ee5a52ae 33fcc39d 28636827
cd4be809 957488c7 4461743e da733fe7 79d31bdd e386e2ac 22e47f06 c86c50a2
60e52a56 cd84d5c2 1303fc5d 4455be6a bee43029 c7c26e1a ed7b95
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca 04000000000121585308a2
3082035f 30820247 a0030201 02020b04 00000000 01215853 08a2300d 06092a86
4886f70d 01010b05 00304c31 20301e06 0355040b 1317476c 6f62616c 5369676e
20526f6f 74204341 202d2052 33311330 11060355 040a130a 476c6f62 616c5369
676e3113 30110603 55040313 0a476c6f 62616c53 69676e30 1e170d30 39303331
38313030 3030305a 170d3239 30333138 31303030 30305a30 4c312030 1e060355
040b1317 476c6f62 616c5369 676e2052 6f6f7420 4341202d 20523331 13301106
0355040a 130a476c 6f62616c 5369676e 31133011 06035504 03130a47 6c6f6261
6c536967 6e308201 22300d06 092a8648 86f70d01 01010500 0382010f 00308201
0a028201 0100cc25 76907906 782216f5 c083b684 ca289efd 057611c5 ad8872fc
460243c7 b28a9d04 5f24cb2e 4be16082 46e152ab 0c814770 6cdd64d1 ebf52ca3
0f823d0c 2bae97d7 b6148610 79bb3b13 80778c08 e149d26a 622f1f5e fa9668df
89279538 9f06d73e c9cb2659 0d73deb0 c8e9260e 8315c6ef 5b8bd204 60ca49a6
28f6693b f6cbc828 91e59d8a 615737ac 7414dc74 e03aee72 2f2e9cfb d0bbbff5
3d00e106 33e8822b ae53a63a 16738cdd 410e203a c0b4a7a1 e9b24f90 2e3260e9
57cbb904 926868e5 38266075 b29f77ff 9114efae 2049fcad 401548d1 02316119
5eb897ef ad77b764 9a7abf5f c113ef9b 62fb0d6c e0546916 a903da6e e9839371
76c66985 82170203 010001a3 42304030 0e060355 1d0f0101 ff040403 02010630
0f060355 1d130101 ff040530 030101ff 301d0603 551d0e04 1604148f f04b7fa8
2e4524ae 4d50fa63 9a8bdee2 dd1bbc30 0d06092a 864886f7 0d01010b 05000382
0101004b 40dbc050 aafec80c eff79654 4549bb96 000941ac b3138686 280733ca
6be674b9 ba002dae a40ad3f5 f1f10f8a bf73674a 83c7447b 78e0af6e 6c6f0329
8e333945 c38ee4b9 576caafc 1296ec53 c62de424 6cb99463 fbdc5368 67563e83
b8cf3521 c3c968fe cedac253 aacc908a e9f05d46 8c95dd7a 58281a2f 1ddecd00
37418fed 446dd753 28977ef3 67041e15 d78a96b4 d3de4c27 a44c1b73 7376f417
99c21f7a 0ee32d08 ad0a1c2c ff3cab55 0e0f917e 36ebc357 49bee12e 2d7c608b
c3415113 239dcef7 326b9401 a899e72c 331f3a3b 25d28640 ce3b2c86 78c9612f
14baeedb 556fdf84 ee05094d bd28d872 ced36250 651eeb92 978331d9 b3b5ca47
583f5f
quit
crypto ca certificate chain ASDM_TrustPoint2
certificate ca 01ee5f222de71b43a5d4669f9e
30820477 3082035f a0030201 02020d01 ee5f222d e71b43a5 d4669f9e 300d0609
2a864886 f70d0101 0b050030 4c312030 1e060355 040b1317 476c6f62 616c5369
676e2052 6f6f7420 4341202d 20523331 13301106 0355040a 130a476c 6f62616c
5369676e 31133011 06035504 03130a47 6c6f6261 6c536967 6e301e17 0d313831
31323130 30303030 305a170d 32383131 32313030 30303030 5a305031 0b300906
03550406 13024245 31193017 06035504 0a131047 6c6f6261 6c536967 6e206e76
2d736131 26302406 03550403 131d476c 6f62616c 5369676e 20525341 20445620
53534c20 43412032 30313830 82012230 0d06092a 864886f7 0d010101 05000382
010f0030 82010a02 82010100 a8fb55f5 fff090ab ffe7ef41 bd683052 e7fd32ed
c9f515f7 c0b9af31 70985252 1698d1e1 2d698067 c56c5b7a 2cf973b9 ab9a85bd
84336bd9 83af80f9 9dfa5290 338fc094 0a0a43aa 3ada27a3 75cbd02d 6a3a20dd
779ffc47 6054356e 33f4b3ba 85a9f346 7e6c5616 e8a61e53 00c6b4f2 8629f35b
7a4030d8 a8b72962 ab7821c5 18c4dc61 f9cc1896 3637ea4b 9bcf6eca c467ab03
45d75834 bdbae368 38fc5dc4 a19082d5 1d3868c5 d5a0a973 2c9c8ab7 dd70e049
d70bf034 c9ec3e3f 754b8210 48691aff 8bce9b1c c294ecb7 dd4bd5b4 e4590e18
8215f11b f3d8c77a dac9963b 57935538 beb0ff20 dbaf952c 08bdaae3 543945a3
1cf1f782 d2cb4d61 c2068625 02030100 01a38201 52308201 4e300e06 03551d0f
0101ff04 04030201 86302706 03551d25 0420301e 06082b06 01050507 03010608
2b060105 05070302 06082b06 01050507 03093012 0603551d 130101ff 04083006
0101ff02 0100301d 0603551d 0e041604 148180d6 2879354a 5b793589 398f1217
6e117b2c 11301f06 03551d23 04183016 80148ff0 4b7fa82e 4524ae4d 50fa639a
8bdee2dd 1bbc303e 06082b06 01050507 01010432 3030302e 06082b06 01050507
30018622 68747470 3a2f2f6f 63737032 2e676c6f 62616c73 69676e2e 636f6d2f
726f6f74 72333036 0603551d 1f042f30 2d302ba0 29a02786 25687474 703a2f2f
63726c2e 676c6f62 616c7369 676e2e63 6f6d2f72 6f6f742d 72332e63 726c3047
0603551d 20044030 3e303c06 04551d20 00303430 3206082b 06010505 07020116
26687474 70733a2f 2f777777 2e676c6f 62616c73 69676e2e 636f6d2f 7265706f
7369746f 72792f30 0d06092a 864886f7 0d01010b 05000382 01010042 05854cdd
9608e64f e853a78b 382d86d4 373c3ae4 f10e2e79 4058a7d1 fdd467f4 847b9c9d
8ef6707b 6c846d62 24aa8eb0 bb90f9ec 1516d5d5 11a2b519 e275e42b 7d444bd8
b24c57c0 f8112dff fee3f9ac 96a90986 6e230865 9da6e483 7f43a7d2 b992abe3
7bfdd68e c9a4d7a9 c92177aa fe631f64 aecd1e23 9b60737a 7e29ca57 866af0b6
5e472a85 c290502d 60f22eb5 5b8b3919 448930f8 9a357891 279095a4 0bfd9403
180f6e5e ab038f82 7fa2447b febb81c9 e12e87c6 8a5a0052 985ee815 ab0a5cf2
9d4db212 f43f4504 f29b62fb b5aaebc8 fc042c1a 9419b2f8 d125b16e d60536d2
584b6180 b63c62bc a302b6dd 36633968 253a7ba2 8ba3141b 092233
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 80.168.79.2 255.255.255.255 outside
ssh 217.169.28.120 255.255.255.255 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group BT request dialout pppoe
vpdn group BT localname D482199@hg70.btclick.com
vpdn group BT ppp authentication mschap
vpdn username D482199@hg70.btclick.com password broadband1 store-local

dhcpd address 192.168.10.100-192.168.10.200 inside
dhcpd dns 81.139.56.100 81.139.57.100 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 80.86.38.193 source outside
ntp server 188.39.98.165 source outside
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.3054-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
group-policy GroupPolicy_SSLVPN internal
group-policy GroupPolicy_SSLVPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
default-domain value sharpandbentley.com
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username asa5505 password 3llIpj3dwA3/KZGT encrypted privilege 15
username joy.clarke password TejeTR6YNp7meJic encrypted
username joy.clarke attributes
service-type remote-access
username luke.moxham password BV0ryiVbdUBuBogD encrypted
username luke.moxham attributes
service-type remote-access
username martin password i3i9nYWUd8fPlJBr encrypted
username smehmet password 1yqw/MwT3cwDUDry encrypted
username smehmet attributes
service-type remote-access
username julie.mehmet password 8bxJRBoKosfSEmIm encrypted
username julie.mehmet attributes
service-type remote-access
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool SSLVPN_POOL
default-group-policy GroupPolicy_SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
tunnel-group PENRITH type ipsec-l2l
tunnel-group PENRITH general-attributes
default-group-policy GroupPolicy1
tunnel-group PENRITH ipsec-attributes
ikev1 pre-shared-key PENRITH
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6cf0bf54d4017514c6de7458a639e963
: end

 I really don't know how to packet capture. Firstly I can never remember which command turns on output to SSH client and then of course the screen fills with info and it is hard to stop!

what make you thing its a mtu issue? keep the mtu 1500.

if you have asdm access than do a packet tracer for the website not working.

Hi Sheraz,

Thank you for actively following this up. I note that on the old router it had the MTU set at 1492 due to PPPoE overheads, so naturally took this across to the ASA as well. When you say set the MTU back to 1500, is that both on inside and outside interfaces? What about the tcpmss value? Tinkering with these settings does make some slight difference, so it does seem likely that these settings have something to do with it?

Thanks, Martin

Yes you are right. mtu for outside need to be configured as 1492. and Inside need to be 1500.

however in your firewall configuration you done it wrong you configured as

mtu inside 1452
mtu outside 1500

where as it suppose to be outside 1452 and inside need to be 1500

Hi Cristian,

Thank you for your reply. Of course when I started, I did have the outside MTU at 1492 and inside MTU at 1500 and tcpmss at 1380 but some websites just don't work. I just keep trying different things to fix the issue but nothing makes much difference. I see a few errors about packets coming from secure website to internal IP that are blocked by the ASA for some reason which might be related?

5505 is eol and end of support. there is no stable version for this unit. however, here link is how to configure a PPoE connection. Cisco clearly mentioned outside mtu 1492 bytes and inside 1500.

i also noted you have configured your mtu wrong

mtu inside 1452
mtu outside 1500

this must be mtu outside 1492 and inside 1500.

Thank you.

Hi Sheraz,

I want to thank you for doing your best to help me. I did actually get another regular contributor to this forum, Julio Carvajal Segurat to help me directly since time was of the essence. It was nothing to do with MTU and only a packet trace showed the issue. It seems that some traffic destined to the internet was being caught by this NAT rule (which was for a site-2-site VPN):

nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static Penrith_inside Penrith_inside no-proxy-arp

where

object network Penrith_inside
range 192.168.1.0 255.255.255.0

and when removed and replaced by

nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.1 68.10.0_24 destination static 192.168.1.0 192.168.1.0

no longer caught traffic not destined for the VPN

It seems that ADSM crafted these commands slightly wrongly. There was me thinking that ASDM would never do this!

Thank you again for you help

Perhaps some of these tcp options will make a difference?

Hi,

    If upgrading is not an option, try the following:

            - set those values as i said, reload the ASA and test; if it doesn't work, move to next step

            - remove MPF (service-policy) and see if it works; if it works, it means some inspection is killing your session; if it doesn't work, move to next step

            - perform a packet capture for that specific traffic, on both the inside and outside interfaces and post it here

Regards,

Cristian Matei.

Hi Cristian

I want to thank you for doing your best to help me. I did actually get another regular contributor to this forum, Julio Carvajal Segurat to help me directly since time was of the essence. It was nothing to do with MTU and only a packet trace showed the issue. It seems that some traffic destined to the internet was being caught by this NAT rule (which was for a site-2-site VPN):

nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static Penrith_inside Penrith_inside no-proxy-arp

where

object network Penrith_inside
range 192.168.1.0 255.255.255.0

and when removed and replaced by

nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.1 68.10.0_24 destination static 192.168.1.0 192.168.1.0

no longer caught traffic not destined for the VPN

It seems that ADSM crafted these commands slightly wrongly. There was me thinking that ASDM would never do this!

Thank you again for you help

Hi,

   I'm glad it's fixed, but i still don't see how traffic going to the Internet (www.bbc.co.uk)) was not working because it was matched by that NAT rule, which actually was matching on a private destination and not matching on the destination of www.bbc.co.uk .

Regards,

Cristian Matei.