VPN running when users our outside our network. Historically we have tunnelled all traffic in and then normal routes from there so routing in anyconnect client shows as tunnel all 0.0.0.0/0.

We need to break out of that tunnel to leverage the local machines internet access (so have specified that in the preferences) for just 4 ports on those 4 networks. However we still need 443/80 on those networks to be tunnelled so a standard acl wont work. 

When we use an extended acl with the port requirements we need, anyconnect doesnt seem to like it. 

Only standard ACLs are supported. If you want this exclusion for a specific app then you could do dynamic split tunnel which is based on domain.
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/b_AnyConnect_Administrator_Guide_4-7_chapter_01100.html#concept_fly_15q_tz

Ok so looks like it probably isn't possible with anyconnect then. 

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams

This is what we need to achieve, but as you can see the networks listed in in the first two boxes overlap and we have to have the 80 and 443 traffic coming internally to meet co additional access policies. 

We know our partner orgs are using netmotion to exclude any network to those 4 udp ports, but I'm guessing this isn't possible either with any connect? 

I see, so you are looking to optimize MS Teams and Skype. This can be accomplished.

The overlap you mentioned should not be a problem. The "Allow Required" does NOT mean this should go through the tunnel and even if that was the case we could do it with Split INCLUDE as the routing table would have more specific routes to go through the tunnel and the rest in the clear.

"Allow endpoints are required for connectivity to specific Office 365 services and features, but are not as sensitive to network performance and latency as those in the Optimize category. The overall network footprint of these endpoints from the standpoint of bandwidth and connection count is also significantly smaller. These endpoints are dedicated to Office 365 and are hosted in Microsoft datacenters. They represent a broad set of Office 365 micro-services and their dependencies (on the order of ~100 URLs) and are expected to change at a higher rate than those in the Optimize category. Not all endpoints in this category are associated with defined dedicated IP subnets." 

https://docs.microsoft.com/en-us/office365/enterprise/office-365-network-connectivity-principles

Although from other cases where this has been investigated, there appears to be some evidence that certain Microsoft Apps (Skype, Teams, etc), specifically and intentionally BIND to any/all active interfaces in an attempt to use what the App(s) determine to be the ‘best interface’; …subsequently ignoring (or bypassing) the local routing table (which is where the split-exclude networks are defined). This certainly correlates to the behavior this Microsoft article mentions:
https://techcommunity.microsoft.com/t5/office-365-blog/how-to-quickly-optimize-office-365-traffic-for-remote-staff-amp/ba-p/1214571

So the recommendation is to optimize by IP range (not ports) and FQDN with dynamic-split-exclude (for apps that need because the domain resolves to different IPs dynamically). 

If after that you still see unwanted traffic going through the tunnel then you can try adding the /32 route explained in the MS article.
 

@Gustavo Medina Thanks for that info a lot of that is great and makes sense. 

I think our requirements maybe too specific for it to work. 

As you say we need to optimise (Be Excluded from the tunnel/breakout) literally just the 4 UDP ports on the following three networks, these dont relate to URLS when they are hit.