Hi,

I have a 5505 setup and running with access to my corp recourses, problem is that I can't reach the Internet.  I do not want to Split-tunnel due to security concerns and it seems that it would be simple to find documents describing this scenario, but surprisingly that is not the case.

One point of concern is when I do "sh connections"  I see the flags SaAB

S=Awaiting inside SYN

     I'm not sure what to make of this since my Anyconnect session terminates on the "outside" interface and any SYN sent from my client would appear to have originated on the "outside".  The SYN-ACK response from the Internet would be to the "outside" interface as well.  So where is the "inside" SYN going to originate?

a=Awaiting Outside ACK to SYN

     Same issue I described above.  Since my initial SYN was originated on the "outside", how does the ASA correlate the SYN-ACK received on the "outside" to my initial SYN sent from the "outside"?

A=Awaiting inside ACK to SYN

     Again, same issue. 

B=Initial SYN form Outside

     Described above

I have same-security-interface permit intra-interface enabled and the split-tunnel-policy tunnelall enabled on the group policy.

Here is a snippet of my config.

same-security-traffic permit intra-interface

access-list no_nat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

ip local pool sslvpnpool 192.168.70.10-192.168.70.50 mask 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0

group-policy sslclientpolicy internal

group-policy sslclientpolicy attributes

dns-server value x.x.x.x

vpn-tunnel-protocol svc

split-tunnel-policy tunnelall

default-domain value xxxx.xxxx

address-pools value sslvpnpool