We use a 3000 series concentrator to all certain users access to a restricted part of our network.
It has been setup to allow PC's to also communicate with our private addresses (a class B).
I need to deny access to a couple of IP's internally (within the class B).
Is there a way to deny access to those IP's specifically, or do I have to go in and completely re-construct the allow lists?
The most coherent way to do this is to use Filters and rules to deny traffic to these IP Addresses, check the following link for that:
Create rules and add them to a filter that then can be applied to the Group that those clients are connecting to.
On a different approach, if these vpn clients are using TunnelAll as the split tunnel policy, you can change the policy to be "exclude networks in the list to bypass the tunnel" and use a network list (that will contain those restricted hosts) then when traffic is intended for those hosts, the VPN client will not tunnel that traffic. FYI this will send traffic for those hosts with that SPLIT TUNNEL Policy to be sent int plain text, not routed, but sent in plain text by the vpn client.