There are a lot of things you can use in a Dynamic Access Policy (DAP) but end user IP address isn't one of them.
Network Access Restriction (NAR) in ACS can be used to grant or deny authorization based on IP address but with a remote access VPN I believe it would be the VPN-assigned address seen by the ACS server. I'm not absolutely positive about that though.
Have you considered an ACL for tcp/443 on the interface used for VPN access?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...