The 'sysopt connection permit-vpn' command allows all IPSec related traffic to reach the firewall, in effect bypassing any ACLs on the outside interface. I believe this is enabled by default on v8. If you require more granular control over your VPN clients, you can disable this with the 'no sysopt connection permit-vpn' command and then setup access lists. You will need to allow ports 50,51 and 500 explicitly if you do this.
So, if I have "sysopt connection permit-vpn" enabled, access control inside L2L VPN is only done with crypto map access list?
Because this doesn't work for me. I must allow communication from 10.11.13.0/24 to 192.168.10.0/24 in interface ACL(I can see hits in ACE's), not only in crypto map ACL(I can't see hits in crypto map ACE's).
The sysopt command allows IPSec traffic that terminates at your outside interface to come through it but not through any other interface on the FW - that has to be explicity defined in ACLs.
Also, if you are allowing traffic from the private networks to communicate, i.e. not PATing them to at the outside interfaces, then you will also need ACLs to bypass NAT. So you would have something like this on the FW that contains the 10.11.13.0/24 subnet:
access-list Inside_IN extended permit ip 192.168.10.0 255.255.255.0 any
access-list L2LVPN_NONAT extended permit ip 10.11.13.0 255.255.255.0 192.168.10.0 255.255.255.0
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...