Hi,
When you create a remote access IPsec VPN connection to the ASA, all traffic is permitted by default.
When you do the command ''sh run all sysopt'' you get ''sysopt connection permit-vpn'' and that means that all VPN traffic is going to pass through without being checked by the outside ACL.
There are some ways to restrict the VPN traffic through the tunnel
1. You can remove the sysopt ''no sysopt connection permit-vpn'' so only traffic that's allowed in the outside ACL is allowed in.
2. You can leave the sysopt and create ''vpn-filters'' under the group-policy for the tunnel-group of the remote access connection.
I'll recommend the option #2 so that you can specify exactly what you're going to allow through the tunnel.
If you're talking about the VPN user getting access to an inside server and from there being able to jump to other internal resources... well... that's out of the scope of the ASA's security features. The connection from an internal server to another internal server won't go through the ASA thus the ASA cannot protect it.
You can however define exactly just the traffic that's going to be allowed with the above vpn-filters.
Hope it helps.
Federico.