I'm running 8.03 code and have a simple L2L VPN configured between two sites. This is actually a test config in my lab, but I'm having trouble restricting traffic using an inside ACL.
I used the VPN Wizard to do the initial config and then added an inside (out)ACL to restrict traffic once the tunnel comes up.
The crypto map is as follows:
access-list outside_1_cryptomap extended permit ip 188.8.131.52 255.255.255.240 host SunMed_pc
Then I have an ACL to limit traffic to pinging GHC_laptop, telnet to GHC_switch and deny everything else:
access-list inside_access_out extended permit icmp host SunMed_pc host GHC_Laptop
access-list inside_access_out extended permit tcp host SunMed_pc host GHC_switch eq telnet
access-list inside_access_out extended deny ip any any
However SunMed_pc can also ping to GHC_switch and can FTP to GHC_laptop even though the 3rd entry to deny all hit counter increases when I do that.
I've attached a Word document that has the entire config along with a screen shot showing the ACL and the hits.
Do I have the ACL set up incorrectly or is the ACL in fact not working as expected?
You can still keep all IP for your interesting traffic acl's. If you remove the sysopt, then you would write the access in your "inside_access" acl like you did above.
If you are going to have dozens of l2l tunnels, and will be restrict them all, then I would just remove the sysopt and use the interface acl's.
There is another option. You can leave the sysopt and use a vpn-filter. It is explained here and can be applied to l2l.