I created site-to-site vpn between asa and pix with no sysopt connecion permit-vpn.
I used interface access-list to control what remote site(PIX) can access to main site(ASA).
IPSec connection is up and everything is working fine.
I have question related to access-rule for ISAKMP and IPSec.
1. Do I need to create access rule to permit protocol ISAKMP, ESP, AH at outside interface?
My understanding is that when the traffic come to interface, access rule will be applied and permit or drop pkts based on the rules.
It seems IPSec Tunnel can be established without even applying those access rules at interface.
Thank in advance for your time!