Cisco Support Community
Community Member

VPN 3005 -limiting network access

Is there any way to limit groups so they can only access certain IP addresses? I want to limit a certain user to access only one server.

Also, what can the split tunneling policy do for me?

Thanks for any help.

Community Member

Re: VPN 3005 -limiting network access

Split tunneling will allow your clients to access the internet or local lan while they use the vpn but this is a security concern. With the group you are configuring make a network list and put that specific server in the list. Then apply this list to the group under (only tunnel networks in list)

Cisco Employee

Re: VPN 3005 -limiting network access


Additionally if you want to apply Filter rules on the Private Interface to allow the traffic to be checked before it goes into the Network. You can make the Rules for the IP Addresses of the users coming in and only allow for specific Servers rather then for the whole Network.

Hope it makes sense,


Aamir Waheed,

Cisco Systems, Inc.

Community Member

Re: VPN 3005 -limiting network access

Slightly confused here. I have a similar situation. I want to lock down a VPN group to one internal IP address/server only. No access to the rest of the LAN whatsoever. Can I do this and if so, how? (Cisco 3000 series).

Thanks for any help or pointers.

Community Member

Re: VPN 3005 -limiting network access

very simple.. dosen't require "filters" on the private interface or anything crazy. what you can do

is make a new group (say the "remoteconsultant" group).

For this group make a new network list under

Configuration | Policy Management | Traffic Management | Network Lists

now in this list, only include the 1 ip address

you want these people to speak to.

now when they connect up to the concentrator, their

client will be told to only send data for this

single internal host to the concentrator (everything else will go to their default gateway).

Now I don't know if the connecting user can set up an nt route add statement or something to force the rest of the subnet through his client to concentrator tunnel ? However if you have a pix or router behind your concentrator, you can of course

enforce the "single-host only tunnel" with an access


Another option, is giving the single host you want the guy to talk to a secondary ip address, and use this new subnet as his ip address specified when

that user connects... like make a new subnet from your internal subnet just for him and your 1 server.

CreatePlease to create content