I know this command has been covered in a few places, but even after reading the documentation I'm confused about what it does.
When enabled, does it permit the overlay (i.e. DTLS traffic and associated TLS) from Anyconnect clients towards the ASA? Or does it mean the underlay (i.e. real user/tunneled traffic) will not be subjected to the outside interface ACL?
I thought the sysopt command would apply to traffic from the corporate network towards the clients as well, but unfortunately the following blocked all my underlay traffic outbound to Anyconnect clients:
sysopt connection permit-vpn
access-group ACL-OUTSIDE-OUT out interface outside
access-list ACL-OUTSIDE-OUT extended deny ip any any log
With the above config, clients can still establish DTLS sessions and access things like corporate CIFS shares, but no traffic from the internal LAN could be initiated towards the client. i.e On my corporate PC, I could not ping the VPN pool IP of an Anyconnect client.