This is the first time I've seen somebody try this with the router/sensor.
Things to consider/try:
1) Since it is the same router as you already have alarms being generated for acl 110 denials then compare the sensor configuration for the 10 acl to the sensor configuration to the 110 acl and make sure they are the same.
2) The sensor relies on a very specific format for the acl denial syslog message. It could be that syslog message is different when the acl is applied to a vty than when applied to a router interface. I also don't whether or not the log feature works when applied to the vty.
What you could do is generate the syslog messages for both the 110 acl denial and the 10 acl denial on the vty line and compare the syntax of the 2 acl messages.
(You could snoop for the syslog messages or configure the router to send to a syslog server for this test, and analyze the messages on the syslog server)
If the syntax differs or if no syslog is generated for the 10 acl then the sensor won't be able to generate an alarm.
3) Another possibility is that the 10 acl is a standard acl, while the 110 acl is an extended acl. The syslog messages generated by standard acls could be different than those generated by extended acls. If so then you might try creating an extended acl 120 to use instead of acl 10 and see if it works.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...