So, the ACL should be applied to the inside interface, not the actual ACL that defines the interesting traffic.. ?

The ACL on the inside is a permit any any. The local subnet is 10.X.X.X and the VPN remote subnet is 172.16.X.X. So i would need something like..

acl inside permit ip 172.16.X.X mask 10.X.X.X mask time-range VPNHOURS

acl inside deny ip 172.16.X.X mask 10.X.X.X mask

acl inside permit ip any any

That's correct - and you would apply it to the inside interface outbound, going onto the LAN the inside interface is connected to.

HTH>

Im testing with it right now.. it does not seem to be working. Neither a permit statement w/ time-range, followed by a deny and then the permit ip any any

or

a deny statement with the time-range, followed by a permit ip any any. this is also being used for remote access vpn. so even though the traffic is on the inside interface, the ASA has a route pointing to the outside interface.

i tried applying the ACL on the outside as well with no luck.

edit

this should help.. the ACL is active, but traffic is not being denied on the inside.

access-list inside1 line 1 extended deny ip any 172.16.31.0 255.255.255.0 time-range VPNHOURS (hitcnt=0) 0x5f2add1d

access-list inside1 line 2 extended deny ip 172.16.31.0 255.255.255.0 any time-range VPNHOURS (hitcnt=0) 0x2c5dec03

access-list inside1 line 3 extended permit ip any any (hitcnt=388) 0xb93b6806

edit again.. just in case.. i also have the following configured.

no sysopt connection permit-vpn

access-group inside1 in interface inside

Check you have the correct remote IP subnet configured.

Check you have the acl attached to the correct interface in the correct destination.

the subnet is correct, not sure why that isnt working out. currently experimenting with the vpn-filter command in the group-policy, which also isn't working out the greatest..

took out the time-range stuff for now, now that i'm on this filter command.