Cisco SSL VPN (No Internet Browsing)

More than likely everything is setup to replace your default route so that all traffic is force through the VPN connection and your firewall is most likely not setup to allow the VPN IP address access to the Internet.

If your company policy allows you to do split tunneling, then you need to do that.  Most company policies do NOT allow split tunneling, because it makes your home PC a entry point to your corporate network.

Split tunneling?  The IP address thing, help me understand that because PPTP works fine

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml

Can you explain this one better?

I dont understand the ACL rule, I know where to create them, but is it telling me to find out the network of each user (100s) and add them as an include or an exclude?

I will have to read the article, but normally you don't need to know the IP address of the users, you need to know what IP subnets you want to go over the VPN tunnel.

You let the home user keep their normal default gateway and then the VPN client will add the routes for your internal subnets to their route table.

I could not find where you need to know the home users IP subnet.  In the article where it show the 192.168.10.1 address on the home computer, that is not the home network that is the IP subnet for the VPN tunnel.

Yeap I see that :)

very much so annoying

Id like users to be able to use the internet while connected, sad really that its this hard to figure out

The problem is how do you want them to use the Internet, meaning do you want them to use their own Internet connection (split tunneling) or use the company's Internet connection.

Using their own Internet connection means they won't "double dip" the company bandwidth, but it also means you have to trust that the employee's home computer is protected.  If his home computer gets compromised, that can be used as a launching point into your corporate network.  A few years back an employee of MS had their home computer compromised and it was used as a router into MS internal network.

Using the company's Internet connection reduces the possibility of the internal network from getting compromised, but that means the traffic for the web surfing employee is hitting the company's Internet connection twice.

ill do split tunneling, just need to understand how to configure it

The link you had above does a fairly good job of describing what you need to do.  Just follow it.

90% of those options are not in the cisco configuration professional :( thats why Im asking

What are you using as the VPN server? If you are running ASA 8.x then use ASMD or use CLI.

Cisco Router and pic attached, I can only include or exclude ip/subnets
test.jpg

Im not getting an option to add an ACL etc either

Which router and which IOS?

Here is an example configuring a 3640 for VPN and split tunneling:

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

I just figured it out, just need to add the corporate networks to the include list and everything works, net and everything (net is coming from local)

For those doing the same with a Cisco Router and SSL VPN (Cisco Anyconnect):

1.) Under split tunnel just add the corporate network (ie if the lan on the router your connecting to is 1.1.1.1 use 1.1.1.0 by clicking Include Traffic then the IP along with subnet)
2.) You wont get DNS so just clock over to DNS and WINS then add the Primary DNS Server, wham all done

VERY simply

A second note that I ran into was anyconnect 2.4.0202 always claimed to have a Certificate issues, using anyconnect 2.3.2016 works flawlessly