Topology: Router1 <->(outside)ASA(inside) <-> Router2
IPSEC tunnel from Router1 to Router2
with the routers being the IPSec Endpoints, do i need to explicitly permit ESP & ISAKMP on both the inside and outside interfaces in the inward direction of the ASA ?
or will it be enough to permit ESP & ISAKMP just on the outside interface with the firewall taking care of the return traffic with inpsection ??
yes, if the vpn might be initiated from the router1 side.
add the following:
access-list inside extended permit esp any any
access-list inside extended permit udp any any eq 500