Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Deny statement in VPN3000 'Network Lists'

I dont allow split tunnelling for users connected to the corporate lan via concentrator but would like the users to be able to still access the internet via the corporate network. It seems the best way to do this for me would be to use a deny statement for specific corporate segments and 'permit any' others.

-Is there a way to use a deny statement in the Network Lists section?

-How do I deny certain destination network ranges for the groups while still allowing internet traffic to be routed through the corporate lan?

Thank you,


Cisco Employee

Re: Deny statement in VPN3000 'Network Lists'

You can apply filter for the group that the user belongs to.

You need to have a deny/drop rule for the protected network, and a permit/forward for the allowed networks.

Have a look at the way the public filter is setup under : Config| policy management| traffic manage|filter and do add reules to filter on public filter. The also look at rules (instead of filter). So if you could work out the rules, and how it is to be applied to a filter, you can create your own filter, add a rule to it that you also define, then use the filter for the group, by -> config|user manage| group | modify the group, and select general, and apply the filter you created on the filter tab.

Hope it makes sense.



CreatePlease to create content