I need some clarification on access-list for vpn traffic on an ASA. Let me explain my situation. First off, I will not be using the "sysopt connection
permit-ipsec" on the firewall, so if my understanding is correct, I need interface based access-lists to allow the traffic in addition to my VPN interesting traffic access-lists.
So let's say I have an ASA with 2 interfaces in use, inside and outside. I have an inside and outside access-list applied to both interfaces controlling traffic. The crypto map is applied to the outside, and I have two site to site tunnels that are needed on the ASA.
My first tunnel requires that my inside subnet 192.168.100.0/24 be able to talk to the remote subnet across vpn, 172.16.1.0/24. So here is my crypto map acl for this tunnel. The inside local subnet will always initiate to the remote end.
access-list tunnelA permit ip 192.168.100.0 255.255.255.0 172.16.1.0 255.255.255.0
My second tunnel requires that the remote subnet 10.255.255.0/24 always initiate connections back to my local subnet 192.168.100.0/24, so here is my crypto map acl for this tunnel.
access-list tunnelB permit ip 192.168.100.0 255.255.255.0 10.255.255.0 255.255.255.0
I think I have the above config correct, but here is where I'm a little confused about not using the sysopt permit ipsec.
Seeing how I have acl's applied to both interfaces, I assume for tunnel A I need to basically apply the same acl as I did for the crypto map acl:
access-list inside_out permit ip 192.168.100.0 255.255.255.0 172.16.1.0 255.255.255.0
If I am correct on that, what about tunnel B, where the remote subnet initiates in this case? do I need to put my acl on the outside interface like this?
access-list outside_in permit ip 10.255.255.0 255.255.255.0 192.168.100.0 255.255.255.0
basically I need to know how to apply my interface based acl's, and is it dependent on which side of the tunnel initiates vs which receives?