Howdy,
I’ve setup a Cisco AnyConnect VPN - when I connect with a client, I get an IP and can route to internal resources fine.
However, when I connect, I cannot route out to the internet?
I’m not split tunnelling, all traffic is routing via the tunnel. The internet traffic is going out the same interface clients connect on.
Do I need to NAT the VPN clients back out?
Any ideas would be very helpful!
You will need a
nat (outside, outside) dynamic interface
type nat to get out to the internet.
a couple of things. of course as Krandor1 pointed out make sure there is a nat rule for your anyconnect. Secondly, you’ll need an additional command - same-security-traffic permit intra-interface - I believe that’s the command. That will allow the traffic to basically hairpin.
You can always use packet-tracer to see where the packet is failing.
packet-tracer outside your vpn subnet to destination 8.8.8.8 or something like that.
Along with the NAT statement provided, you need this for the traffic to be allowed to enter and then exit the outside interface.
same-security-traffic permit intra-interface
I just use a different firewall for the NAT, and just use the ASA for the remote access. Then the other firewall is reached just like other network resources inside of the ASA.
Just setup split tunneling. 
This is the appropriate way to get this done.
add “detailed” " to the end of that to get to the good stuff.
Edit: [Cisco Doc] (Cisco Secure Firewall ASA Series Command Reference, I - R Commands - Cisco)