Thanks for looking into this Dennis. Here is my ASA config. It was built by ASDM as I'm not familiar with configuring ASAs.

: Saved

:

ASA Version 8.4(1)

!

hostname ASA5505

domain-name domain.com

enable password xxx encrypted

passwd xxx encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.2.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name domain.com

object network obj_any

subnet 0.0.0.0 0.0.0.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic any interface

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 5

ssh version 2

console timeout 0

vpnclient server 2621xm-headend.domain.com

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup EasyVPN_NEM password *****

vpnclient username ASA5505 password *****

vpnclient management tunnel 10.1.0.0 255.255.0.0

vpnclient enable

dhcpd auto_config outside

!

dhcpd address 10.2.1.101-10.2.1.132 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd domain domain.com interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username user password xxx encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ade5aa8ed68a82c37d092a9fdf04e590

: end

Well, the configuration looks fine to me...just to clarify...your problem is that you cannot reach the internet from the network behind the ASA? right?

That's right. I can reach the HQ site internal network just fine, though.