I am using the ASDM to setup client vpn's for users. At one point in the wizard you specify traffic thats exempt from NAT that your users can access. But there was no other controls on what protocols/ports they can access. My question is, where would I put the access rules? Would I put them on the inside interface incoming(on the security policy tab) or is there some place in the VPN tab(such as the group policy section) that I would allow/restrict specific ports/protocols? I would just use trial and error but there are active P2P VPN's on this box and last time I added a access rule for the inside interface incoming, it ended up breaking all the P2P VPN access. Any suggestions?
I'm sure you know this but that will affect all traffic, not only vpn, so be sure to write your acl correctly, allow what you want from vpn client subnet, deny everything else from vpn client subnet, then allow everything else. You also have to do "no sysopt connection permit-ipsec/vpn" or the traffic will bypass the acl. good luck
oh and dont forget about your other vpn tunnels.