if u want to limit the client to the network he connected to u can do it by
first astandered ACL puting the network that this client allwed to use then inlcuded in the split tunneling optio in the tunnel spesified then tunnel network value put the ACL name or number this case the client will send traffic over the tunnel only to that network
also u can use filletering otion on the user it self if u use local database username and pass
go to the use name
usename [usename] attributes
the under this attributes theres villtiring otipn put here a ACL number that u have to creat it first
in the ACL just permit what u want the user to do only anything else will be denied
also another villtering and split tunneling way
in the above config when u defin the split tunnel u put the command tunnel sesified then the ACL
u have also option called tunnel unspisified
this one will work exactly the opesit way to noraml split tunnel
this will include evry thing except the traffic sesified in the ACL
finally u can make restrection on the clients by first remove the sysopt connection allow ipse
and then creat normal ACLs to permit clients IPs to what u want and then evry thing not in the ACL will be denied by the default implicit deny
good luck
please, if helpful Rate