Thanks for your answer but it is not correct. If you go to "Usage Guidelines" of "sysopt connection permit-vpn" you can read:
"You can require an interface access list to apply to the local IP addresses by entering the no sysopt connection permit-vpn command. See the the access-list and access-group commands to create an access list and apply it to an interface. IMPORTANT!!! --> The access list applies to the local IP address, and not to the original client IP address used before the VPN packet was decrypted."
So that if I disabled "sysopt connection permit-vpn" I will be able to filter the local IP assigned by the vpn_pool but not the real public IP of the client.
This means that would like to filter VPN negotiations using an access-list?
If that is the situation you will not be able to do that as far as I know, you only can either receive all the negotiation requests or disable listening to IPSec negotiations on the specific interface.
You are wrong here. Shadi was right originally. All that IMPORTANT is telling you is if you are going to write access in your interface acl's, you use the pool address, not the clients public ip. But you will also have to allow isakamp, esp, nat-t etc. in your outside acl from the public ip of the client.
So, to disable vpn connections you can do "no sysopt conn permit-vpn" and allow specific access in your acls.
I don't know if it is a bug in v7.2 or not, I thought so, but then I read the "Command Reference" I came to the conclusion that it was the normal use of "no sysopt conn permit-vpn" and by that I am looking for another way to do it.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :