Hi Ahmed,
When filtering at the edge, there is no too much to see:
IKE protocol --> idp 500
IPSec protocols:
ESP protocol --> ip protocol 50
AH protocol ---> ip protocol 51
For NAT transparency:
udp 4500 or tcp (port number has to be configured)
So the acces-list looks like:
!!!
Router(config)#access-list 100 permit esp 1.1.1.1 0.0.0.15
Router(config)#access-list 100 permit ahp 1.1.1.1 0.0.0.15
Router(config)#access-list 100 permit udp 1.1.1.1 0.0.0.15 eq 500
Router(config)#access-list 100 permit udp 1.1.1.1 0.0.0.15 eq 4500
!!!And assign it to the interface to which the crypto map is bound
Router(config-if)#ip access-group 100 in
!!!
You can set also a symmetric acl at the IPSec peer in other side.
I hope this will help.
Have a good work!
AJN