split tunnel setup on asa 8.4 with asdm 6.4

we have anyconnect set up and working, except for split tunneling.

in the ASDM 6.4 I went to : remote access VPN > network (Client) access > group policies >  GroupPolicy_anyconnect_vpn > edit > advanced > split tunneling > then unchecked "inherit" on network list and have selected an ACL called "SPLIT-TUNNEL"

the ACL is pasted below from the CLI, these are all of our internal networks, everything is static routed and on the same vlan

SG-ASA-1# sho access-list SPLIT-TUNNEL
access-list SPLIT-TUNNEL; 10 elements; name hash: 0x25b1daf1
access-list SPLIT-TUNNEL line 1 extended permit ip (hitcnt=0) 0xe3a9484b
access-list SPLIT-TUNNEL line 2 extended permit ip (hitcnt=0) 0x377afd96
access-list SPLIT-TUNNEL line 3 extended permit ip (hitcnt=0) 0x0b4d6f9c
access-list SPLIT-TUNNEL line 4 extended permit ip (hitcnt=0) 0x7a6cc93f
access-list SPLIT-TUNNEL line 5 extended permit ip (hitcnt=0) 0xe228bdad
access-list SPLIT-TUNNEL line 6 extended permit ip (hitcnt=0) 0x317f80c8
access-list SPLIT-TUNNEL line 7 extended permit ip (hitcnt=0) 0xe4c276b0
access-list SPLIT-TUNNEL line 8 extended permit ip (hitcnt=0) 0x0c2dd3ab
access-list SPLIT-TUNNEL line 9 extended permit ip (hitcnt=0) 0x00a4d4e3
access-list SPLIT-TUNNEL line 10 extended permit ip (hitcnt=0) 0xfb381008

after that setting in the ASDM group policy, we tested unsuccessfully yesterday morning. They can connect and ping any of those inside networks but no internet. The asa log showed the following when a vpn client tried to ping yahoo.com

6      Aug 14 2012      07:51:04            64.60.xxx.xxx      4397      1433      Routing failed to locate next hop for TCP from inside:64.60.xxx.xxx/4397 to outside:

we can ping the inside network no problem after connecting to VPN from the outside.

64.60.xxx.xxx is our public IP that is on the outside interface which is the IP we use for vpn.ourdomain.com

thanks in advance for any help
Who is Participating?
Split tunnel ACLs should be standard access lists.

access-list SPLIT-TUNNEL line 1 standard permit ip

WAMSINCAuthor Commented:
thank you for the reply, I will test this weekend and get back to you
WAMSINCAuthor Commented:
in the asdm I went to the split tunnel section of the anyconnect policy, and created a new standard ACL as you suggested, and that did the trick, thanks!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.