Either that or leave out the vlan1 line. It depends: is vlan1 explicitly tagged for that connection? Note that according to 802.1Q, the "native" vlan for a trunk will not be tagged (so if you want "all" vlans to be tagged, you need to change the "native" vlan for the trunk to a vlan# that is not used by any traffic.)
access-list ksieg_to_inside permit ip 192.168.2.0 255.255.255.0 host 192.168.1.2 access-group ksieg_to_inside in interface ksieg
and repeat for caffe.
This will not allow "full access": for example, ksieg hosts would not be allowed to send IPX to 192.168.1.2, and ksieg hosts would not be allowed to suddenly send an ACK packet that was not part of an existing TCP connection (a technique that is sometimes used to bypass packet filters that are set to allow "established" traffic.) Also, ksieg hosts would still have to obey proper FTP protocols and so on for all other "fixup" statements you have active.
But I wouldn't do what you are asking. If you need to be able to start arbitrary connections from ksieg and caffe to host 192.168.1.2 then that host 192.168.1.2 should be on a *lower* security interface than either ksieg or caffe. Otherwise, if someone takes control of a system in ksieg or caffe they can use it to take control of 192.168.1.2 and then use that host to take control of everything else in your inside interface.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.