After a client has established a VPN connection to our PIX (using Cisco VPN client), is there a way to limit INCOMING traffic types through access lists?

Currently, I use the "sysopt connection permit-ipsec" command in combo with a no-nat acl to permit traffic to the remote subnet assigned in the vpngroup.

I want to narrow down not only the inside hosts permited in the connection, but also the type of connection INITIATED by the remote client to those hosts.

I have no problem limiting ip traffic to specific hosts only, but my problem is I need to allow connections to range of IPs that can't be totally defined with a single subnet mask in the no-nat ACL. Additionally, I only want to allow a few protocols to be initiated from the remote client. The no-nat ACL only defines return or "reply" traffic which is not usually on the same port as the initiating host (like remote desktop).

Do I need to turn of the implicit VPN permission (sysopt connection permit-ipsec) and define all allowed traffic on the imcoming ACL on the outside interface of the PIX?

If so, do I need to allow associated VPN traffic first (i.e ports 500, 4500, 50-51), and then specify allowed remote subnets? Also, since I don't totally know the order of checks and processes of incoming packtes to the PIX...will the remote client traffic be under it's public or private IP when the packets hit the outside ACL (I guess I'm asking at what point is it decrypted and passed on with the private addresses).

My goal is to allow employees to remote into their PCs over our DHCP range, but I don't want to allow all types of IP traffic except 3389 or 5631-5632. Currently, if I deny ruturn traffic from all servers to protect them (using the no-nat ACL), then I also effectively eliminate our DNS server from replying with the correct addresses when employees enter thier PC names over the VPN connection.

Can anybody shed some light on how to approach this.

Thanks in advance.

Kyle