Hello Mohamed
Well, since this is for an AnyConnect user, that means that the policies applied in the group policy are valid for ALL traffic. The ACLs I included in my post will match ALL traffic that has TCP destination ports of 80 and 443 regardless of whether or not the destination is on the Internet or on the local network.
If you need to be more specific beyond just the TCP ports, then you can include IP addresses in your ACLs. If you want to be able to reach a local server on both ports 80 and 443, then you can create the following SPLIT_TUNNEL ACL:
ASA1(config)# access-list SPLIT_TUNNEL extended deny tcp any host 192.168.10.10 eq 80
ASA1(config)# access-list SPLIT_TUNNEL extended deny tcp any host 192.168.10.10 eq 443
ASA1(config)# access-list SPLIT_TUNNEL extended permit tcp any any eq 80
ASA1(config)# access-list SPLIT_TUNNEL extended permit tcp any any eq 443
The above ACL will match all TCP traffic destined to ports 80 and 443 EXCEPT for those packets with a destination IP address of 192.168.10.10. This may be a local web server on your local network. By issuing the deny statements before the more general permit statements, you make sure to exclude any packets destined for that particular local device. Does that make sense?
I hope this has been helpful!
Laz