Hello 67P7,
There are an option that permite VPN clients get internet Sites over IPsec Tunnel. I have no visibility about your ASA so i gonna send some option, please try it and let me know.
Ps: You need to disable split tunneling and use split-tunnel-policy tunnelall
Example:
Inside Network: 192.168.1.0/24
VPN Pool: 192.168.2.0/24
IP outside ASA: 200.200.200.200
IP outside NAT ASA: 200.200.200.201 "if used"
First:
Create a NAT condition:
==> Nat to Internet <===
nat (inside) 1 192.168.2.0 255.255.255.0
global(outside) 1 interface "if you are using Outside IP address to NAT"
or
global(outside) 1 200.200.200.201 netmask 255.255.255.255 "if you are using especific IP address to NAT"
===> No Nat <===
access-list VPN_NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
!
nat (inside) 0 access-list VPN_NONAT
!
===> IPSEC and Hairpining use <===
same-security-traffic permit intra-interface
Let me know about it.
Good luck.
Fabio Jorge Amorim