I have an interesting question. Is it possible to have sysopt permit-vpn enabled and still be able to have an outbound ACL on an inside interface that would match and drop the traffic? I cannot use VPN filters as routes are learned dynamically and are split unevenly across multiple inside networks. Disabling syspot permit-vpn is not an option that I would like to entertain.
For example, I would like a certain ip pool to be able to access networks learned on inside-network-1 but denied on inside-network-2, inside-network-3, inside-network4. Another pool would be allowed to inside-network-2 and denied on inside-network1,3,4.
Can a VPN-Filter Deny an outbound interface?
You would that with split tunnel, example of partial configuration:
ip local pool VPN-POOL-1 192.168.10.1-192.168.10.62
access-list FILTER-VPN-TRAFFIC extended permit ip host 192.168.0.1 192.168.10.0 255.255.255.192
group-policy EXAMPLE attributes
split-tunnel-network-list value FILTER-VPN-TRAFFIC
Unfortunately, as previously stated the routes are learned dynamically (several thousand). I will also add that all traffic is tunneled.