If you have an ASA 5505 security appliance (version 7.2 (3) and higher) configured as an Easy VPN Client in Network Extension Mode with multiple interfaces configured, the security appliance builds a tunnel for locally encrypted traffic only from the interface with the highest security level.
The guide doesn't specify what happens with traffic from the interface with a mid-security level (DMZ). Sure, the DMZ traffic is exempted from the tunnel, but then what? Is it implicitly dropped? If that's the case, is there a way around that? How would you configure that? (Split tunneling on the Easy VPN server is not an option.)
What I'm trying to achieve is this:
Inside <--> Outside <--> Tunnel only (works fine)
DMZ <--> Outside <--> Internet (doesn't work)
Not really since I've randomly tried every thinkable solution until I rebooted and began from a clean slate, but...
Configuration pretty much like this:
ip address 10.1.1.1 255.255.255.0
dhcp client route distance 2
ip address dhcp setroute
no forward interface Vlan1
ip address 192.168.1.1 255.255.255.0
object network dmz
nat (dmz,outside) dynamic interface