Thnk for your reply.

Since ASA will allow specified ip address from vpn pool to allowed hosts through nat exmption rule in case remote access vpn. so please help me to understand your suggestion.

also can i use DAP for this requirement.

ie.

VPN client pool 10.1.1.0/24

Internal range 172.16.0.0/24

Configuration to allow internet access to for the VPN clients (u-turn):

same-security-traffic permit intra-interface

nat (outside) 1 172.16.0.0 255.255.255.0

global (outside) 1 interface

The above configuration will allow u-turn for the VPN traffic to the Internet using PAT.

The requirement is that all VPN traffic should be sent through the tunnel (no split-tunneling).

Additionally configure MPF to check which URLs are allowed.

Federico.

Thnx federico,

        Your solution will be correct if have URLS hosted over internet, but in my case URLs are hosted in DMZ and in inside network.

i want remote access client vpn to be configured.

users will acess this vpn through vpn dialer.

users should be access to particular url only.

i have many urls hosted on same server

e.g. www.abc.com\exmple\trd\main.aspx..................user should access this

www.abc.com\example\trd.................user should not be able to acess this

www.abc.com\exmple\trd\main\access.html..................user should not access this

Thnx for your response.

I see what you're saying... but the same concept applies then...

The VPN clients connect to the ASA (tunnel terminates here).

The VPN client tries to go to the URL.

By DNS or any other method, the VPN client is instructed that to reach the URL it should send the traffic to the DMZ (instead than to the Internet).

The MPF can be configured to permit/filter the URLs (on the Internet or on any other interface of the ASA).

Is this making more sense?

Federico.