ASA 7.2.1. I have added a vpn-filter acl to a l2l tunnel-group policy. I used the following cisco document "Restrict the Network Access of Remote Access VPN Users".
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml
Problem is, I have to explicitly allow the return traffic from any initiated connection. For example...
access-list 101 permit tcp host 172.25.0.1 host 172.16.0.1 eq telnet
access-list 101 permit tcp host 172.16.0.1 eq telnet host 172.25.0.1
I understand the acl needs to be written bidirectional, because it is not applied into or out of an interface, but shouldn't it be stateful? If not, what's the point of the vpn-filter?
Is my other option to remove "sysopt connection permit-ipsec" and put the vpn-filter acl's on the outside interface?