VPN open/close ports

You could control what the clients could speak with by using a scaled down no nat I suppose....  

Usually, when you setup remote clients, you need a nonat to allow traffic:

     access-list 101 permit ip 10.99.99.0 255.255.255.0 192.168.1.0 255.255.255.0
     ip local pool bigpool 192.168.1.1-192.168.1.254
     nat (inside) 0 access-list 101

The above is an example to allow the iplocal pool to access all of 10.99.99.0.   There's nothing stopping you from drilling this ACL down to only the servers you want the clients to access.....

i.e.
     access-list 101 permit ip host 10.99.99.10 192.168.1.0 255.255.255.0
     access-list 101 permit ip host 10.99.99.11 192.168.1.0 255.255.255.0
     access-list 101 permit ip host 10.99.99.12 192.168.1.0 255.255.255.0
     ip local pool bigpool 192.168.1.1-192.168.1.254
     nat (inside) 0 access-list 101

where this command is using ?

These are on the CLI command line.

it did not worked :D i think i am doing sth. wrong do you have a screen shot for a better description

Could you post your sanitized config here?  

what is sanitized ?