Hello @Flavio Miranda

Thank you for your feedback 

Please find the configuration 

!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid

pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging trap debugging
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool VPNPOOL 192.168.150.1-192.168.150.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat

access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route inside 172.16.90.0 255.255.255.0 192.168.1.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 64553 set transform-set ESP-3DES-SHA
crypto map outside_map 64553 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 172.16.90.2
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelACL
split-dns value AMD.local
username ABC password tCYMW encrypted privilege 15
username DEF password jkvPguw7T encrypted privilege 15

tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool VPNPOOL
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
class-map conns
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ae8058a745b9e5
: end
TeleCareFW#

First off, you need to see if sysopt is enable:

show run sysopt

If you see "no sysopt connection permit-vpn" then sysopt is disabled and this means that all traffic on the VPN is permited. In your case, probably it is disabled.

ideally, this option should be enabled, so that, all traffic on the VPN is denied and then you permit what you want. Otherwise, you need to deny everything and permit what you want.

 Take care with this command to do not cause outage on your VPN access.

After you define which rule to follow, Deny everything or permit everything then you can create the filters.

Please, define IPs accordingly.

First, create an Access List allowing the required traffic.

access-list VPN-FILTER permit ip X.X.X.X  255.255.255.0 X.X.X.X  255.255.255.0

Add the Access List to the group-policy
group-policy remotevpn  internal
group-policy remotevpn attributes
vpn-filter value VPN-FILTER

Hi @Flavio Miranda

Thank you for your support 

 Access list is filtering the traffic based on IPs, in my situation, I need the Username to be filter criteria.

 because usually IP always changed from the user end,  I can not set role based on IP 

I need to tell my ASA " If the Username ABC get connected only allow him to access this IP" 

Please correct me i am wrong and advice me 

For simplicity and considering that it is only two users, I´d go with static IP address on the end users.

What do you think?

-If I helped you somehow, please, rate it as useful.-

The end users are using dynamic IP, as you know the ISP internet for home use dynamic IPs, so the IP always keep changing, besides that the users are accessing from a different location from different places, so I  can not use static IP for them. 

Any recommendation? 

Does it require to upgrade my ASA? 

Thank you for your support 

I think your solution will work, I will try it out