with the command "sysopt connection permit-ipsec" disabled, an inbound acl will be required.
e.g. net1 <--> pix1 <--> www/vpn <--> pix2 <--> net2
on pix1, an inbound acl permitting net2 to net1 is required. in fact, you can further restrict the access down to protocol/port level:
access-list 100 permit tcp host host eq 3389
access-group 100 in interface outside
one point needs to be noticed when disabling the command "sysopt connection permit-ipsec" is that you will need to add all vpn traffic to the inbound acl, including all lan-lan vpn and remote vpn access.
regarding the second issue, "how to enable the unidirectional traffic from inside other then dmz?". you just need to add the inside subnet to no nat acl and the existing crypto acl.
it's good to learn that your issue has been resolved.
according to cisco:
Why should I rate posts?
If you see a post that you think deserves recognition, please take a moment to rate it.
You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :