That seems kind of strange that you can hit the other interfaces. I would be interested in seeing the Nat statments for those interfaces.
But to answer your question there are a couple ways you can do it. Remove "sysopt connection permit-ipsec" and add access-list statements to your outside interface acl for the VPN users or use downloadable acl's if you have the resources to do so.
I have nat (inteface) 1 0 0 for all the interfaces but if I am allowing the VPN user access to a lower security interface (dmz) why the VPN user can access the higher interface (inside) and all others.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...