yep apart from the ACL (that is encrypted in the tunnel) do we need any extra acl to allow access to the specific ports. (please note that in the extended acl for the vpn i have allowed ip traffic which means all traffic) but i have had to put in an extra acl apart from the first one and mention the port numbers. not sure why ? (i thought the acl in the security policy tab are needed only for non vpn traffic

There are two way you can filter traffic which is moving over VPN.

1) Filter at source ofcourse ACLs are required.

  For example Crypto acl allows - Site A 10.0.0.0/24 to Site-B 20.0.0.0/24 but traffic can be filtered at interface where  10.0.0.0/24  is configured .Lets assume port 80 we want to deny.

ACL would be -- access-list XXX extended deny tcp 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0 eq 80

                                                                            permit any any

                              acess-group xxxx in inside

So this will deny port 80 and permit rest of the traffic.

2) You can configure VPN filter which is called under group policy .

Thanks

Ajay

the norrmal access list that you allow through the tunnel would be

access-list outside_10_cryptomap extended permit ip 10.10.10.0 255.255.255.255.0 20.20.20.0 255.255.255.0

now i have allowed ip between 10.10.10.0 and 20.20.20.0 subnets (either side of the tunnel)

now if i want to allow port 15000, i thought since i am allowing ip it should work but i had to put in accesslist as:

access-list OUTSIDE_IN extended permit tcp host 10.10.10.10 host 20.20.20.20 eq 15000

so i am not sure why the above OUTSIDE_IN statement would be needed as ip is allowed through the tunnel ?

thanks for this but unfortunetly i cant test this as its in production. but what does this command do ?

It  bypass ACL configured on interface.