Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Internet on a stick (no split-tunnel) with limited internal access?

Is it possible to configure remote access (IPSEC client) to force all traffic through the tunnel (no split tunnel) yet still limit the internal hosts that can be accessed?

I have been asked to provide remote access (via ASA5510) with the following requirements:

    - the client should have unrestricted internet access via the ASA (the source address will appear to be the outside interface of the ASA)

    - the client should have access to only two internal hosts ( and

Configuring no split-tunnel using the ASDM wizard or using the example provided by Cisco ( results in remote access to all interior networks (

Is there a way to limit access to those two internal hosts, while still providing secured internet access? The only way I can see is to use an access list on another device (for example our core switch).

Any suggestions? Thanks in advance for any help.

Cisco Employee

Re: Internet on a stick (no split-tunnel) with limited internal

Hi Tom,

Yes you can apply an access-list to the tunnel, with the "VPN-filter" command in the group-policy.


access-list foo permit any host

access-list foo permit any host

access-list foo deny any

access-list foo permit any any

group-policy mygp attributes

vpn-filter foo



Sent from Cisco Technical Support iPad App

CreatePlease to create content