I was using my internal DNS servers, but will try external.

They are MS AD servers that do all the lookups with root hints (no forwarders)

From machines on the inside of the network, I can browse all those sites so some resolution is happening.

I'll switch the DNS servers it uses and report back.

Sounds good

Still fails. 

What's odd is that I'm seeing TCP resets when I go to the pages that fail.  Here's the log info I have for an attempt to browse www.cisco.com.  I paused logging, got to the portal page where I put in address, resumed logging and hit enter.  I changed some things.  FWInternetIP is the ip on the outside interface, Client IP is the IP that I'm on from the test computer.

6|Nov 01 2012|11:28:14|302016|64.250.229.100|123|InternalNTP|123|Teardown UDP connection 4363 for outside:64.250.229.100/123 to inside:InternalNTP/123 duration 0:02:01 bytes 96

6|Nov 01 2012|11:28:11|725007|Client IP|24658|||SSL session with client outside:Client IP/24658 terminated.

6|Nov 01 2012|11:28:11|302014|Client IP|24658|FWInternetIP|443|Teardown TCP connection 4417 for outside:Client IP/24658 to identity:FWInternetIP/443 duration 0:00:28 bytes 26768 TCP Reset-O

6|Nov 01 2012|11:28:11|302014|Client IP|36248|FWInternetIP|443|Teardown TCP connection 4420 for outside:Client IP/36248 to identity:FWInternetIP/443 duration 0:00:28 bytes 14601 TCP FINs

6|Nov 01 2012|11:28:11|725007|Client IP|36248|||SSL session with client outside:Client IP/36248 terminated.

6|Nov 01 2012|11:28:11|716003|||||Group User IP WebVPN access GRANTED: http://www.cisco.com//

What if you try with a bookmark with smart-tunnel enabled?

Thanks.

I get a delay and then the browser's "unable to connect" page, but only for the sites I listed above .

Still no cisco, facebook, yahoo, google, fark.  Slashdot, lvrj, twitter, sunherald are OK.

If I do an anyconnect vpn with my tunnel all profile, I can do anything/go anywhere without a problem.  My hosts on the inside are OK too, so I think that rules out DNS.

I'm going over my config for perhaps inspection or some other craziness and don't see anything there either:

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server Internal1 (Removed during later testing

name-server Internal2 (Removed during later testing)

name-server 8.8.8.8

name-server 8.8.4.4

domain-name internaldomain.local

same-security-traffic permit intra-interface

webvpn

enable outside

anyconnect image disk0:/AnyConnect-3.1.01065/anyconnect-win-3.1.01065-k9.pkg 1 regex "Windows NT"

anyconnect image disk0:/AnyConnect-3.1.01065/anyconnect-macosx-i386-3.1.01065-k9.pkg 2 regex "Intel Mac OS X"

anyconnect image disk0:/AnyConnect-3.1.01065/anyconnect-linux-64-3.1.01065-k9.pkg 3 regex "Linux"

anyconnect image disk0:/AnyConnect-3.1.01065/anyconnect-linux-3.1.01065-k9.pkg 4 regex "Linux"

anyconnect enable

tunnel-group-list enable

ssl-server-check warn-on-failure

group-policy VPN_SSL internal

group-policy VPN_SSL attributes

dns-server value (INTERNAL DNS servers, also tried 8.8.8.8 and 8.8.4.4)

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_ACL

default-domain value internaldomain.local

webvpn

  url-list none

  anyconnect ssl dtls enable

  anyconnect dpd-interval client 10

  anyconnect dpd-interval gateway 30

  anyconnect ask none default webvpn

tunnel-group VPN_SSL type remote-access

tunnel-group VPN_SSL general-attributes

address-pool VPN_Pool

default-group-policy VPN_SSL

tunnel-group VPN_SSL webvpn-attributes

group-alias SSL_VPN enable

tunnel-group-map default-group VPN_IPSEC

I think it's DNS + IPv6 that's causing the problem.  I don't have IPv6 enabled on any interfaces. I'll poke around and reply back with anything I find.

firewall# show dns-hosts               

Host                     Flags      Age Type   Address(es)

forums.radioreference.com(temp, OK) 0    IP    2400:cb00:2048:1::6ca2:c36e  2400:cb00:2048:1::6ca2:c30a

  forums.radioreference.com  cf-protected-forums.radio

radioreference.com       (temp, OK) 0    IP    174.129.16.232

www.slashdot.org         (temp, OK) 0    IP    216.34.181.48

www.lvrj.com             (temp, OK) 0    IP    69.164.14.128  69.164.14.144

     cdn-c.clickability.com    clickabl-3.vo.llnwd.net

llnwd.net                (temp, EX) 4   SOA      dns11.llnwd.net hostmaster.llnwd.net

                                            210 900 300 604800 300

www.google.com           (temp, OK) 0    IP    2001:4860:4007:800::1012

www.facebook.com         (temp, EX) 0    IP    2a03:2880:10:cf01:face:b00c::

firewall#

It's FIXED!

On the outside interface config, IPv6 tab "Enable IPv6" was NOT checked, but the box "Enable address autoconfiguration" WAS checked.

I verified by toggling that checkbox, clearing the cache and trying to ping the problem sites.  Checked=no dice, unchecked=working.

Thank You jportugu for answering my posts and offering suggestions.

I'm having this same issue but IPv6 is definitely disabled on all interfaces. Also I do not get any IPv6 addresses with the command "show dns-hosts"