Consider the following Phase 2 parameters of a VPN .The issue is i need to give clear text access-list too along with the normal Crypto ACL and NONAT ACL .Iam not able to find out the reason for the same

crypto map outside_map 140 match address outside_cryptomap_140

crypto map outside_map 140 set peer 65.127.X.X

crypto map outside_map 140 set transform-set ESP-3DES-SHA

a)Crytpo ACL

access-list outside_cryptomap_140 extended permit icmp host 10.10.49.30 host 10.200.253.8

access-list outside_cryptomap_140 extended permit ip host 10.81.34.59 host 10.100.8.3

access-list outside_cryptomap_140 extended permit ip host 10.10.49.30 10.100.8.0 255.255.255.0

b)NO NAT ACL

access-list webdmz_outbound_nat0_acl extended permit ip host 10.10.49.30 host 10.200.253.8

access-list webdmz_outbound_nat0_acl extended permit ip host 10.10.49.30 10.100.8.0 255.255.255.0

access-list appdmz_outbound_nat0_acl extended permit ip host 10.81.34.59 host 10.100.8.3

c)Clear text ACL

access-list webdmz_access_in extended permit tcp host 10.10.49.30 10.100.8.0 255.255.255.0 eq ssh

access-list webdmz_access_in extended permit icmp host 10.10.49.30 host 10.200.253.8

access-list appdmz_access_in extended permit ip host 10.81.34.59 host 10.100.8.3

Query : In a Site to Site VPN ideally only Crypto ACL (Interesting traffic ACL ) and NO NAT ACL is required . However in some of the VPN Scenarios Clear text ACL is also required without which even after the tunnel is up , devices are unreachable and it will give a following error .

“Connection denied by webdmz_access_in”

Please let me know the following

1)Is it really required

2)If not , what are those scenarios in which it needs to be given

Regards

Ankur