Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
What you are wanting to accomplish can be done but you should use the PIX to do this.
When setting up your VPN on the PIX you have access-list that specify where the ip addresses that make up your VPN pool can go. Use that access-list to fine tune network access for your VPN clients. Make sure you modify the same changes to the NAT0 access-list.
How did you apply the ip access-group to the interface, in or out? it should be out. also, if you want to block ftp access to the server, it's more effective to do this on the pix. the access-list will be similar, but use subnet mask instead of wildcards
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...