I have few remote sites with different configurations, but to start with, I'd like to use a remote site where there is only one single device on the perimeter and this device does the NAT so all inside hosts can properly connect to the internet using the over-loaded Public IP address of the router's outside interface.
The HeadQuarters has a Cisco Router 2800 Series. The security is tight, so ANY on the ACLs is avoided as much as possible. Plus, the remote site has an Static publi IP.
What are the exact ACL that has to be applied on the outside interfacae of the HQ router in order to allow the remote office to create a Site-to-Site tunnel? Either end of the tunnel can initiate traffic to bring up the tunnel.
I am always confused with 3 ACLs when applying them to the outside interface of a router which will participate in these types of tunnels.
access-list 101 permit esp any host 188.8.131.52
access-list 101 permit udp any host 184.108.40.206 eq isakmp
access-list 101 permit udp any host 220.127.116.11 eq non500-isakmp.
In this scenario, which ACL is really needed on the outside interface of the HQ router?