I have always understood that by default sysopt connection permit-vpn was enabled by default on ASA 7.2 and above and therefore by default exempted traffic flow between hosts in the crypto ACL from having to be parsed against your ingress or egress ACLs. However today I was working on an issue where the internal hosts have an ACL applied to the inside interface with an any-any rule that restricts traffic outbound to the internet but only on specific ports defined in a service based object group. My site-to-site tunnel was working as it should except I could not get hosts defined in my crypto ACL to talk to each other on a specific port. That is when I found the aforementioned rule, added my ports to the object-group, and I was able to communicate as expected. I never looked at any rules because I knew sysopt connection permit-vpn was enabled. So it appears that there is an order to this madness that I don’t understand and while sysopt connection permit-vpn bypasses host to host communication, another ACL can block the traffic. Can someone break this down for me? Thanks…