There might be many reasons if downloadable ACLs are not pushed or are unable to restrict access for VPN Clients. But , one of the common reasons is if the sysopt ipsec pl-compatible command is configured on the PIX Firewall.
In such a case, you are unable to restrict a group of Cisco VPN Clients to only have access to a limited number of IP addresses on the inside network that uses downloadable access control lists (ACLs) from the Cisco Secure Access Control Server (ACS).
In order to resolve this issue, remove the sysopt ipsec pl-compatible command from the configuration if configured.
The sysopt ipsec pl-compatible command enables IPsec packets to bypass the PIX Firewall unit Network Address Translation (NAT) and Adaptive Security Appliance (ASA) features and allows incoming IPsec packets to terminate on the inside interface.