Can someone help me with an issue i'm trying to resolve.
I want to deny vpn users access to some of our internal networks that we are migrating to a new company.
internal networks as defined
but now I need make certain subnets unreachable like 220.127.116.11/24 and 10.10.23.0/24 by vpn users.
Are you using an ASA firewall? What type of VPN, I assume Remote Access VPN using AnyConnect?
If ASA, you probably need to configure VPN Filter, example here.
Yes i use ASA Firewall. An update to this is that we want to deny all vpn access to those networks not just anyconnect clients
Each VPN type has an associated configuration that defines which networks are accessible.
SSL VPN (Anyconnect) uses an ACL that's called out under "tunnel-specified" in the group-policy section of the configuration.
Site-to-site VPNs use a different ACL that's called out in the cryptomap associated with a given remote peer.
Change the ACLs and you change the accessible networks.