Is anyone aware of a site-to-site VPN best practices document? I setup a site-to-site VPN for a client that needs access to a handfull of IP addresses and I am controlling access through the crypto ACL. They are stating that it is best practice to allow access to the entire subnet and control access through a regular interface ACL. This does not make any sense to me. Why bring up the tunnel for traffic that the other site does not have access to, only to block it on my side. I need some time of design document or best practices document that proves this but I have been unsuccessful in searching.
