I installed a Pix 501 today and configured an IPSec VPN to another site managed by a third party. Everything went okay and the VPN works fine. Once everything was up the sysadmin at this company asked me if the site had direct internet access, which they did so he asked me to block all outbound traffic to the internet to force everything down the VPN to the proxy server at head office.
As my config had 'sysopt connection permit-ipsec' I presumed that I could just put a 'deny all' ACL on the inside interface to block all traffic and that any traffic matching the crypto access list for the VPN would by-pass the 'deny all' acl on the inside interface. However once I had applied it the VPN connectivity stopped and a look at the logs showed the traffic being blocked by the inside acl. So I added a line above the deny all statement to permit this local network to the central office network and that fixed the VPN. If I look at the acl I can see the hit count going up on the line that permit VPN traffic as well as the crypto acl.
My question is, am I correct in thinking that the 'sysopt connection permit-ipsec' *should* bypass the inside acl if the traffic is matched by the crypto acl? This is on 6.3(5).
Thanks,
Chris.