I have an IPSec Site to Site VPN tunnel that terminates on the outside interface of the firewall. My ftp server sits in a DMZ. The DMZ has an access-list applied to the interface. When I create the tunnel group for the Site to Site I create a tunnel group and group policy and manage the policy with filters. The filter looks like an access-list. Are both the filter and interface ACL working together? Does one override the other? How are these working together.
When the traffic is ipsec, the interface acl's are not used as long as you have enabled "sysopt conn permit-ipsec/vpn". When you add a vpn-filter, this is what will filter the ipsec traffic.