When building a site to site VPN (say for example one ASA to another)...you use an ACL to determine what traffic is interesting and shoudl thus be tunneled. You also use lets say the inbound ACL on the internal interface to control what specific ports are allowed and have more granular control over what traffic actually gets out to go to the other end of the tunnel.
My question is what is the best/preferred method for controlling inbound access coming from the remote side through the tunnel to your local resources. I think the options are as follows:
a) You trust the remote side to leverage their ACLs on traffic leaving their environment destined to your environment. Basically assuming if you only want to tunnel ssh traffic that their ACLs are only allowing ssh traffic through to you.
b) you disable to sysopt connection permit-ipsec feature. This allows you to put ACLs on the external interface of your firewall controlling traffic inside the tunnel. So on your outside ACL in addition to permitting the internet to access your web server on port 80 you also allow say 192.168.1.0/24 to connect to 10.10.10.10 on port 22.
c) you use sysopt connection permit ipsec to allow any and all VPN traffic to the firewall and then restrict where the remote users can get to using an EGRESS acl on the internal interface of your firewall.
IMO option "a" is unacceptable....but I can think of a couple pros and cons to both "b" and "c" so I am curious to hear what your thoughts are.
Please let me know which you use most often, which you think is best, which you prefer and why.