Question : VPN split tunneling not working on ASA5510

I am setting up my firewall to accept remote connection VPNs, and I can't get split tunneling to work.  I connect, but once connected I cannot browse the internet.

Here is my running-config:

: Saved
:
ASA Version 8.2(2)
!
hostname HDH-Cisco5510IPS
domain-name hdh.local
enable password TdfwmQA279nt/Kbj encrypted
passwd TdfwmQA279nt/Kbj encrypted
names
name 172.22.13.0 Cloverdale
name 172.22.17.0 Windsor
name 207.65.76.20 Passport
name 172.20.0.56 PalmDrive
name 172.22.15.0 Healdsburg-Ave
name 170.229.11.19 Router-to-RRMG
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 75.144.30.210 255.255.255.248
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif inside
 security-level 100
 ip address 170.229.11.6 255.255.240.0
!
interface Management0/0
 shutdown
 nameif management
 security-level 0
 no ip address
 management-only
!
banner login Authorized Personal Only!!!
banner login If you are not authorized to login please disconnect now.
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 170.229.11.2
 name-server 170.229.11.10
 domain-name hdh.local
same-security-traffic permit intra-interface
object-group service MIRTH_LAB_HL7
 service-object tcp eq 9443
 service-object udp eq 9443
object-group service SMARTNET
 service-object tcp eq pcanywhere-data
 service-object udp eq pcanywhere-status
 service-object tcp eq ftp
object-group network ARUP
 network-object host 12.10.132.226
 network-object host 12.10.132.232
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network RRMG
 network-object host 10.10.10.155
 network-object host 10.10.15.102
 network-object host 10.10.254.10
 network-object host 10.2.26.50
 network-object host 192.168.3.226
 network-object 10.51.100.0 255.255.255.0
access-list outside_access_in remark InTouch (Robot)
access-list outside_access_in extended permit udp any host 75.114.30.213 range 9000 9101
access-list outside_access_in remark Exchange
access-list outside_access_in extended permit tcp any host 75.144.30.213 eq smtp
access-list outside_access_in remark Medical Records (SmartNet)
access-list outside_access_in extended permit object-group SMARTNET any host 75.144.30.212
access-list outside_access_in remark Mirth Lab HL7
access-list outside_access_in extended permit object-group MIRTH_LAB_HL7 host 68.178.199.210 host 75.114.30.213
access-list outside_access_in extended permit object-group MIRTH_LAB_HL7 host 209.85.69.25 host 75.144.30.213
access-list outside_access_in extended permit object-group MIRTH_LAB_HL7 host 76.230.26.170 host 75.144.30.213
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_1_cryptomap extended permit ip 170.229.0.0 255.255.240.0 Cloverdale 255.255.255.0
access-list inside_nat0_outbound extended permit ip 170.229.0.0 255.255.240.0 Cloverdale 255.255.255.0
access-list inside_nat0_outbound extended permit ip 170.229.0.0 255.255.240.0 Windsor 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 170.229.11.124 object-group ARUP
access-list inside_nat0_outbound extended permit ip host 170.229.11.124 host Passport
access-list inside_nat0_outbound extended permit ip 170.229.0.0 255.255.240.0 host PalmDrive
access-list inside_nat0_outbound extended permit ip 170.229.0.0 255.255.240.0 object-group RRMG
access-list inside_nat0_outbound extended permit ip 170.229.0.0 255.255.240.0 Healdsburg-Ave 255.255.255.0
access-list inside_nat0_outbound extended permit ip 170.229.0.0 255.255.240.0 170.22.22.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 170.229.0.0 255.255.240.0 Windsor 255.255.255.0
access-list outside_3_cryptomap extended permit ip host 170.229.11.124 object-group ARUP
access-list outside_4_cryptomap extended permit ip host 170.229.11.124 host Passport
access-list outside_5_cryptomap extended permit ip 170.229.0.0 255.255.240.0 host PalmDrive
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 170.22.22.0 255.255.255.0 any
access-list IPS extended permit ip any any
access-list IT_splitTunnelAcl standard permit 170.22.22.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging facility 17
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool IT-Pool 172.22.22.1-172.22.22.10 mask 255.255.255.255
ip verify reverse-path interface inside
no failover
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 75.144.30.212 170.229.11.200 netmask 255.255.255.255
static (inside,outside) 75.144.30.211 170.229.11.26 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 75.144.30.214 1
route inside 10.2.26.50 255.255.255.255 Router-to-RRMG 1
route inside 10.10.10.155 255.255.255.255 Router-to-RRMG 1
route inside 10.10.15.102 255.255.255.255 Router-to-RRMG 1
route inside 10.10.254.10 255.255.255.255 Router-to-RRMG 1
route inside 10.51.1.0 255.255.255.0 Router-to-RRMG 1
route inside Healdsburg-Ave 255.255.255.0 170.229.11.60 1
route inside 192.168.3.226 255.255.255.255 Router-to-RRMG 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 170.229.0.0 255.255.240.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 70.89.157.158
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 173.164.155.242
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer 12.10.132.31
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs group1
crypto map outside_map 4 set peer 207.65.77.135
crypto map outside_map 4 set transform-set ESP-3DES-MD5
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs group1
crypto map outside_map 5 set peer 63.193.20.139
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 subject-name CN=75.144.30.213,O=North Sonoma County Hospital District,C=US
 keypair VPN
 crl configure
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 170.229.0.0 255.255.240.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 anyconnect-essentials
group-policy IT internal
group-policy IT attributes
 dns-server value 170.229.11.2 170.229.11.10
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value IT_splitTunnelAcl
 default-domain value hdh.local
username mmcjilton password Gbr1LgkU8cAKX5Pp encrypted privilege 15
username gcrossan password MgXqpsHooqyWk.LK encrypted privilege 0
username gcrossan attributes
 vpn-group-policy IT
username clindell password bLTxyxQHPMK2XH77 encrypted privilege 0
username clindell attributes
 vpn-group-policy IT
tunnel-group 70.89.157.158 type ipsec-l2l
tunnel-group 70.89.157.158 ipsec-attributes
 pre-shared-key *****
tunnel-group 173.164.155.242 type ipsec-l2l
tunnel-group 173.164.155.242 ipsec-attributes
 pre-shared-key *****
tunnel-group 12.10.132.31 type ipsec-l2l
tunnel-group 12.10.132.31 ipsec-attributes
 pre-shared-key *****
tunnel-group 207.65.77.135 type ipsec-l2l
tunnel-group 207.65.77.135 ipsec-attributes
 pre-shared-key *****
tunnel-group 63.193.20.139 type ipsec-l2l
tunnel-group 63.193.20.139 ipsec-attributes
 pre-shared-key *****
tunnel-group IT type remote-access
tunnel-group IT general-attributes
 address-pool IT-Pool
 default-group-policy IT
tunnel-group IT ipsec-attributes
 pre-shared-key *****
!
class-map global-class
 match any
!
!
policy-map global-policy
 class global-class
  ips inline fail-open sensor vs0
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
!
service-policy global-policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:64648ac01f251dd2b3d5650664dac2a0
: end
asdm image disk0:/asdm-631.bin
asdm location Cloverdale 255.255.255.0 inside
asdm location Windsor 255.255.255.0 inside
asdm location 12.10.132.226 255.255.255.255 inside
asdm location 12.10.132.232 255.255.255.255 inside
asdm location Passport 255.255.255.255 inside
asdm location PalmDrive 255.255.255.255 inside
asdm location Healdsburg-Ave 255.255.255.0 inside
asdm location Router-to-RRMG 255.255.255.255 inside
asdm location 170.22.22.0 255.255.255.0 inside
no asdm history enable

Answer : VPN split tunneling not working on ASA5510

ok if that is the case
your split tunnel has to be like this

no access-list IT_splitTunnelAcl standard permit 170.229.0.0 255.255.240.0 any
access-list IT_splitTunnelAcl standard permit host 0.0.0.0
group-policy IT attributes
 no split-tunnel-policy tunnelspecified
 no split-tunnel-network-list value IT_splitTunnelAcl
split-tunnel-policy excludespecified
split-tunnel-network-list value IT_splitTunnelAcl

+ you have to select the local lan access in client see imange

let me know the status