It is my understanding that in order to restrict vpn connection either site-to-site or client via ports the "sysopt connection permit ipsec" command needs to be disabled and the control then comes from the access-list that is inbound on the outside interface.
Here is my scenario: 3 site to site and client vpn tunnels
Site 1 needs access to all internal hosts on 192.168.50.0 for port 5900 and full access to 192.168.50.135
Site 2 needs full access to 192.168.50.205, 192.168.50.166, 192.168.50.204 host only
Site 3 needs full access to 192.168.50.5 host only
Here is my config:
access-list acl_outside permit tcp any host a.a.a.a eq https -- this will be a static translation
access-list acl_outside permit tcp any host a.a.a.a eq 3389 -- this will be a static translation
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...