[I tried to strip out anything not relevant to this issue]

: Saved
:

ASA Version 8.3(2)
!
hostname ciscoasa
enable password *** encrypted
passwd *** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
description Shaw static IP
nameif outside
security-level 0
ip address [static WAN IP] 255.255.252.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server [WAN DNS 1]
name-server [WAN DNS 2]
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service http
service tcp destination eq www
object service https
service tcp destination eq https
object network Bomgar_HTTP
host 192.168.10.4
object network Bomgar_HTTPS
host 192.168.10.4
object network NETWORK_OBJ_10.0.0.0_27         [vpn address pool]
subnet 10.0.0.0 255.255.255.224
object network NETWORK_OBJ_192.168.10.0_24     [inside LAN]
subnet 192.168.10.0 255.255.255.0
object-group service Bomgar_SG
description Bomgar services
service-object tcp destination eq www
service-object tcp destination eq https
object-group network BomgarGrp
description Bomgar service NAT group
network-object object Bomgar_HTTP
network-object object Bomgar_HTTPS
access-list outside_access_in extended permit object http any object Bomgar_HTTP inactive
access-list outside_access_in extended permit object https any interface outside inactive
access-list outside_access_in extended permit object-group Bomgar_SG any interface outside
access-list outside_access_in extended permit icmp any interface outside
access-list acl_outside extended permit tcp any host 192.168.10.4 eq www
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl remark Office network
pager lines 24
logging enable
logging asdm informational
logging from-address asa@[maildomain]
logging recipient-address support@[maildomain] level errors
mtu outside 1500
mtu inside 1500
ip local pool VPN_Users 10.0.0.2-10.0.0.20 mask 255.255.255.0
icmp unreachable rate-limit 10 burst-size 5
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp deny any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_10.0.0.0_27 NETWORK_OBJ_10.0.0.0_27
!
object network obj_any
nat (inside,outside) dynamic interface
object network Bomgar_HTTP
nat (inside,outside) static interface service tcp www www
object network Bomgar_HTTPS
nat (inside,outside) static interface service tcp https https
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 [Static WAN IP] 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol radius
reactivation-mode timed
aaa-server AD (inside) host [RADIUS SERVER IP]
key *****
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
l2tp tunnel hello 300
dhcpd auto_config outside        [This isn't actually used or enabled (was in default config)]
!
dhcpd address 192.168.10.5-192.168.10.132 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 208.80.96.96 source outside        [attempt to time sync with ca.pool.ntp.org]
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value [WINS server IP's]
dns-server value [DNS Server IP's]
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value 247net.local
split-dns value 247net 247net.local
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Users
authentication-server-group AD
default-group-policy DefaultRAGroup
username-from-certificate CN UID
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication ms-chap-v1
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
smtp-server [ISP mail relay server IP's]
prompt hostname context
Cryptochecksum:ab00d871122048a47853c74bb5698da9
: end
no asdm history enable

I ran the remote access VPN wizard to create the VPN IP pool and enable split tunneling.  My understanding is that split tunneling should only require defining the office network address range and configuring the DefaultRAGoup to only tunnel that range of IP's.  I think I followed the directions for this accurately. We have access to the local networks on both sides of the VPN, just not internet (from the client-side) while the VPN is connected.

We are hosting a remote support web server internally at the office so we do forward ports 80 and 443 to it (www and https), but this is only necessary when forwarding from the WAN (Outside) port.  I only point this out in case it is relevant.

While the client VPN is connected the client loses the ability to ping 4.2.2.2 or any other internet address, so to me this looks like perhaps my split tunnel configuration isn't working as expected.

The office network is 192.168.10.x

The remote networks are 192.168.1.x (different at any rate)

Testing is being done from Windows 7 workstations using the built-in l2tp/ipsec clients.

Prapanch is right, split-tunneling for l2tp over ipsec isn't supported:  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800942ad.shtml

It would also explain why the internet access was working for you before the upgrade. Due to the changes in the NAT configuration in 8.3 it is possible that natting required for U-Turning were mis-configured or dropped.

I added the lines you recommended to the configuration but have not yet been able to test them.

In the ADSM it created a somewhat confusing NAT entry (I didn't have the time to review it too closely unfortuantely) where the first line is outside, outside,any and the second line is inside, outside, any.  I'll have to check it to ensure it isn't leaving the back door open or anything.  If I interpret it properly it looks like it just permits traffic coming from the vpn tunnel to route out the outside interface (with an implicit reverse path?).

If memory serves I think I recall something about u-turnning last year but I didn't think it was the key for this issue (I'm nearing burnout this time of year).

Anyway, I'll post back if the current configuration works they way we want it to.  I presume this means the client internet traffic would be routed through the office firewall?

Client===vpn plus internet===ASA---internet (via outside WAN port)

                               +---office LAN

where === is encrypted

Sorry for the long delay in updating the status (swamped).

Everything is working as expected right now, the uturn NAT command did the trick.  Thanks for all the responses, I'll pay it forward one day I'm sure.