By default, the VPN server(PIX/ASA) will allow all traffic that is tunneled to it to exit the tunnel. To restrict such traffic which going thru the tunnel, you can use “vpn-filter value acl” command under group-policy.
Be careful that this acl restrict traffic not only on the direction from client to server but also from server to client.
See below diagram for detail. As acl applies on both direction, use specifically ip/subnets as src within acl. If the range is too “broad”, then unexpected traffic might also be filtered.
If you want to permit traffic from client to only Internal DNS server(172.16.1.1) and configured the acl for vpn-filter as below.
access-list 103 extended permit udp any host 172.16.1.1 eq 53
You will not only restrict traffic from client to DNS server with udp/53 but also the returned from server to client. Client will never get the response from server because vpn-filter also block it at the reverse direction.
When I test this with MS-L2TP vpn client, the acl is not working as expected unless I re-established the vpn tunnel. In the worst case, even need to reboot the Client.