Configure IPsec to Bypass ACLs
To permit any packets that come from an IPsec tunnel without checking ACLs for the source and destination interfaces, enter the sysopt connection permit-vpn command in global configuration mode.
You might want to bypass interface ACLs for IPsec traffic if you use a separate VPN concentrator behind the ASA and want to maximize the ASA performance. Typically, you create an ACL that permits IPsec packets by using the access-list command and apply it to the source interface. Using an ACL allows you to specify the exact traffic you want to allow through the ASA.
The following example enables IPsec traffic through the ASA without checking ACLs:
hostname(config)# sysopt connection permit-vpn
Decrypted through-traffic is permitted from the client despite having an access group on the outside interface, which calls a deny ip any any ACL, while no sysopt connection permit-vpn is configured.
Trying to control access to the protected network via site-to-site or remote access VPN using the no sysopt permit-vpn command in conjunction with an access control list (ACL) on the outside interface are not successful.
sysopt connection permit-vpn will bypass ACLs (both in and out) on interface where crypto map for that interesting traffic is enabled, along with egress (out) ACLs of all other interfaces, but not the ingress (in) ACLs.
In this situation, when management-access inside is enabled, the ACL is not applied, and users can still connect to the ASA using SSH. Traffic to hosts on the inside network is blocked correctly by the ACL, but decrypted through-traffic to the inside interface is not blocked.
The ssh and http commands are of a higher priority than the ACLs. To deny SSH, Telnet, or ICMP traffic to the box from the VPN session, use ssh, telnet and icmp commands.