We have a 3725 (IOS 12.4(5a) which serves a number of VPNs with crypto map statements like this:
crypto map vpn-4 168 ipsec-isakmp set peer a.b.c.d set transform-set aes-sha match address vpn-168
ip access-list extended vpn-168 permit ip 172.16.0.0 0.15.255.255 172.31.32.168 0.0.0.7
AFAIK, the access list in this config only determines what traffic is expected encrypted and what traffic can be unencrypted.
Is it also possible to add an access list to this config that determines what traffic is allowed through this tunnel? I.e. that is applied after decryption. I would like to restrict the user at the other end of the tunnel from accessing certain services on the local network.
Right now I have an outbound access list on the LAN interface, but it seems kind of backward. One would want to filter at the source.