Abaji,

I only want the actual traffic for the 192.168.1.0/24 network to go over the VPN. All other traffic needs to be sent out via the local lan.

Unfortunately I'm not sure how to setup a static route for all anyconnect clients.

Currently when I connect I get

Secured Route

192.168.2.0/28

Non-Secured route

0.0.0.0/0

Needless to say I can surf the internet now, but I am unable to get thru the vpn at all now.

You need to include all subnets you need under split tunnel ACL. Refer http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100936-asa8x-split-tunnel-anyconnect-config.html for example.

HTH

Abaji.

I did a packet-trace on this and it gets stopped here

Phase: 4
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcaf60558, priority=70, domain=svc-ib-tunnel-flow, deny=false
        hits=15, user_data=0x1e000, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.2.1, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

** Did a change of plans, I don't care about split tunnel as long as I can tunnel in. The issue now is I can tunnel in but only get to the internet and not the intranet. I can ping the ASA itself but cannot get into any other device.

One of the error messages I'm getting is

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.3.1/138 dst outside:192.168.3.255/138 denied due to NAT reverse path failure

I was trying to get into 192.168.1.3, the switch inside of the network.

nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 1 VPN-Clients 255.255.255.0

TECASA(config)# show nat

NAT policies on Interface inside:
  match ip inside 192.168.1.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 1, untranslate_hits = 0
  match ip inside 192.168.1.0 255.255.255.0 outside any
    dynamic translation to pool 1 (207.229.2.132 [Interface PAT])
    translate_hits = 605, untranslate_hits = 1
  match ip inside 192.168.1.0 255.255.255.0 _internal_loopback any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any outside any
    no translation group, implicit deny
    policy_hits = 0

NAT policies on Interface outside:
  match ip outside VPN-Clients 255.255.255.0 outside any
    dynamic translation to pool 1 (207.229.2.132 [Interface PAT])
    translate_hits = 153, untranslate_hits = 1

Help please

Hello, Stacey.

1. Please, change the NAT exception rule to:

no access-list outside_nat0_outbound extended permit ip TEC-VPN-Clients 255.255.255.240 any

access-list outside_nat0_outbound extended permit ip 192.168.0.0 255.255.252.0 TEC-VPN-Clients 255.255.255.240

end

clear xlate

2. Correct the split-tunnel rule:

no access-list Split standard permit host 0.0.0.0 

access-list Split extended permit ip 192.168.0.0 255.255.252.0 any

group-policy TEC-Group-Policy attributes

 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split

3. Add the permition for inside_access_in (optionaly)

access-list inside_access_in extended permit ip 192.168.0.0 255.255.252.0 TEC-VPN-Clients 255.255.255.240

And, I believe, it should work.

To verify slit tunneling on remote host (if it is Windows maschine), you can use route print command from cmd. For example: