The first part of this discussion I understand and agree with: traffic that matches a permit in the ACL will be encrypted and sent through the tunnel and traffic that is denied will not be encrypted and not sent through the tunnel. (Note that this does not necessarily mean that traffic that is denied will not be sent - it just means that it will not be sent through the VPN tunnel.)
I do not understand or agree with the second part of the discussion which asserts that there is no purpose for deny statements other than logging. I have a situation at a customer site where there is a VPN tunnel between routerA and routerB. Certain clients on routerA need to communicate with a server on routerB and due to the sensitivity of the data it is required to be encrypted. So the access list has permit for the traffic from these clients to this server. There is other traffic from other end stations on these routers which is also sent between the routers. There is no need to encrypt this other traffic. So there is a deny in the ACL which denies this other traffic. The other traffic is still routed between routerA and routerB but it is not sent through the tunnel it is sent on the normal links. In this situation there is very much a need for the deny statements.
I had the scenario where I was using 10.0.0.0/8 for one site and I had to use 10.250.0.0 /16 for another site.( I had no control on IP addressing) .So I had to deny 10.250.0.0 /16 on first tunnel and permit 10.0.0.0/8 and on second tunnel just permit 10.250.0.0/16. But the problem with this is on the second tunnel where I had 10.250.0.0/16 I couldn't initiate the traffic from my side to 10.250.0.0/16.. however if some one initiated traffic from 10.250.0.0 /16 tunnel would come up and then traffic flow was bidirectional.
I had some discussions with TAC and they said when you have deny statements that's one of the expected behavior. So my options were
take out permit 10.0.0.0/8 &deny 10.250.0.0 /16 line and add 100 lines of specific permits
or just configure one of the machine on far end to initiate a ping every one hour.
So there is some value for deny lines but depends on how you use them
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...