I tried to use
access-list acl_out deny ip "vpn client ip subnet" "
to control the vpn client access to some servers in the company lan.
However it seems not work. Is there any other way to do it?
I have this problem too.