Cisco ASA Restrict VPN traffic to 1 IP on Site to Site (L2L) Tunnel

I was recently asked to restrict access on a VPN tunnel to one IP address, 192.168.240.13.  Here is how I did it-



access-list restrict extended permit ip host 192.168.240.13 any

group-policy Tunnel internal
group-policy Tunnel attributes
 vpn-filter value restrict

tunnel-group 2.2.2.2 general-attributes
 default-group-policy Tunnel