I want to lock down some vpn client users in a particular group that connect to our router to be able to only access RDP on a server. I cannot seem to get this to work through a split tunnel ACL for the group :
access-list 100 permit tcp host 192.168.5.10 192.168.3.0 .0.0.0.255 eq 3389
It seems that the way the split tunnel ACL specifies the source and destination subnets (they are reversed for split tunneling) that it can't support a destination TCP port on the LAN ? ( I have tried the ACL many other ways and I can't get it to work)
IS there any way to make it work with a split tunnel ACL or do I just have to configure different vpn client subnets for each group and filter them on an interface ACL ?