In general: If the client can directly communicate with the internet, it's easier for an attacker to use that PC as a jump-point into the network or to compromise the client. The typical solutions to give VPN-clients internet-access are:
Place a proxy server into your internal network and reconfigure the proxy-settings of the client to use this proxy. This reconfiguration can be done automatically, controlled by the ASA. This is my favorite solution for company employees. Optionally the proxy could scan the traffic for internet-threats like malware.
If you can't or don't want to deploy a proxy you can send all Internet-traffic straight back to the internet. For that you need a NAT-rule (outside,outside) to do dynamic PAT for your VPN-Pool and you have to configure "same-security-traffic permit intra-interface". This is my second choice for company employees. With this, there is no malware scan unless you have a security-module like CX in your firewall. Still, an internet-attacker will not be able to initiate a bidirectional connection to the client. And you have a central logging for client-activity while they are connected to the VPN.
Configure split-tunneling. With that, you only send traffic that is for your company through the tunnel and all the rest is allows directly from the client to the internet. This is the least secure solution. By little misconfiguration of the client (like disabled windows firewall) the PC can be attacked by systems on the internet.
-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
In case if you have a sufficient bandwidth available in your office network, go with tunnel all and make everything to go via your office network.... so that you can keep a track on internet..... else another option is to do with split-tunnel for your vpn.... only office lan network will flow through vpn and rest will flow through their local gateway..... means all traffic related to office lan.... whatever you have in internal lan or vpn acl..... it will have routed to vpn gateway and all other ( 0.0.0.0) route will go via local gateway of the end user ISP.....
If you take things via office network.... you can limit / block the unnecessary ports or protocols to access..... you can keep the content filtering / proxy servers in inside lan to block black listed sites or malware sites......
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :