I'm using a PIX 515 with ASA 7.2. I have a couple tunnels and remote access setup. The same PIX is used as a firewall between the inside users and the Internet. I'm pretty sure there is a setting for remote access vpn connections to be exempt from an ACLs, but am not sure how it works for site to site tunnels. I recently implemented an ACL on my inside interface and as a precaution created an ACL that included the statement access-list inside_access_in permit ip any 10.4.1.0 255.255.255.0
I have 2 questions, do I need that statement to allow traffic to flow from the networks connected to the inside interface of my firewall (any) to the remote end of the site 2 site tunnel (10.4.1.0/24) and I thought including ip in your ACL meant any and all traffic, but in the syslog server I see certain UDP traffic being blocked. Could anyone clarify how this works for me?
The ACL statements are checked sequentially so if the UDP is denied before the IP is permitted then you'll see those messages. I'm not sure how your PIX is configured but if there is an ACL bound with the inside interface then we have to permit the VPN traffic and also need to make sure the NAT bypass is configured for such traffic.
Please rate if it helps.