Using a Cisco ASA 5555 with AnyConnect SSL client and split-tunneling enabled, how do I force an inside tunneled route to a FQDN so that the AnyConnect client tunnels thru ASA and presents the egress IP of the ASA to the destination? I've read conflicting results when adding a FQDN to an ACL as a secured route. It would be easier if the host had a static single IP address but its behind aws load balancer so the IP's change. Am I even making sense? In a scale of 1-10 representing my knowledge of ASA's (where 1 = WTF is an ASA, 10 = I configure ASA's in my sleep) I'd say I'm at about a 4.