I am replacing a 3015 concentrator with a 2801 sec-bundle router. The public interface of the concentrator sits in the 'public dmz' of our ASA. The private interface of the concentrator sits in an internal dmz on of the ASA. I currently have the 2801 connected similarly, with one interface in each dmz. The router's default gatway is out the 'public' side, and it has static routes that point to all of our internal networks through the 'private' side. This is working fine for all of our lan-to-lan tunnels.
My problem is with AnyConnect SSL clients, specifically when a remote user tries to connect to the internet. Because the router's default gateway points out the 'public' side, the remote user's internet traffic is going out the 'public' side of the router and hitting the public dmz interface of our ASA. Even if I allow that traffic out, the ASA will try to route the return traffic to the remote users via the internal interface, because of the subnet that I'm terminating the remote clients on. With the concentrator and the IPSec client, there is a 'tunnel default gatway' option that lets me point all the remote user traffic at the internal side of the ASA. Unfortunately, that option does not appear to exist for the SSL client.
One option I am considering is eliminating one leg of the router. If I force all traffic in/out through one side, then I won't have this problem. Another option is to setup a new subnet for the remote access clients that is always routed throught the public interface. Alternatively, I could just allow split tunneling by the clients, but I would rather not do that. Are there other options that I'm not seeing? Does anyone have a recommendation on which way to go?
I will attach a digaram.