If A does any UDP to B then the restriction you request has a risk of loss of functionality; if a "reply" from B might ever take longer than the UDP timeout, then the "reply" will be blocked. Such problems *will* occur with Microsoft Exchange for example.
If A does any icmp or GRE (e.g., PPTP) or any other IP protocol to B other than UDP or TCP, then the restriction you request *will* result in loss of functionality.
If A's connections to B are strictly TCP then the restriction can be safely implemented.
To implement: turn off "sysopt connection permit-ipsec". When permit-ipsec is not active, all incoming IPSec VPN traffic is decapsulated but then must pass through the outside interface's access controls, just as if it was traffic from the internet; similarily, when permit-ipsec is not active, all outgoing IPSec VPN traffic must pass through any inside interface access controls before being encapsulated.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.