Hi, I've recently purchased an ASA 5520 to use as a VPN gateway for multiple site to site VPN tunnells. I've upgraded to version 8.3 and set up a lab environment. I have set up a simple VPN with a general permit ip rule to stert with and everything works fine. I am having trouble tightenign up the access now, if I change the access on the ASA to ICMP I can ping both ways, if I add tcp I can telnet from a workstation on the other end of the VPN, but if I change the tcp to telnet I cannot connect. the other end on the VPN is a cisco 2620XM and I match the access lists for each of the changes. I also don't quite get the direction in the ASA access list, it seems that if I want to permit tcp access from the remote host to the host behind the ASA I have to have the host behind the ASA as the source, it seems backwards??? Can any one shed any light on this? much appreciated.
Yes, you are supposed to only configure "IP" for your crypto ACL (ACL applied to your crypto map), and crypto ACL supposed to mirror image on each peer, hence when you change it to specific TCP/UDP ports, it doesn't mirror image to the other side/peer anymore.
I thought you are using ACL applied to "vpn-filter".
But from the previous post, you actually configure ACL on each interfaces.
The above are 3 different ACL that you applied differently (crypto ACL --> apply to crypto map, vpn ACL --> apply to vpn-filter, and your normal interface ACL).