The sysopt connection permit-ipsec command allows all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. In PIX 7.1 and later, the sysopt connection permit-ipsec command is changed to sysopt connection permit-vpn

Cisco ASA Series Command Reference, S Commands - subject Jun 29, 2020 Cisco Added the Remote Access "sysopt permit-vpn" GUI Jan 10, 2019 Firepower Management Center Configuration Guide, Version 6

In any event you may wish to use VPN filters to restrict traffic from the remote DMZ Vlan to your main office, or by disabling sysopt connection permit-vpn using the no sysopt connection permit-vpn command and applying ACLs to your outside interface. Excercise caution when applying either of these types of filtering to make sure you don’t

Jan 28, 2014 CISCO ASA VPN Tips and Tricks - Info Security Memo Aug 25, 2018

The sysopt connection permit-ipsec command allows all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. In PIX 7.1 and later, the sysopt connection permit-ipsec command is changed to sysopt connection permit-vpn

Had to look this up too even though the sysopt keyword sounds familiar. Apparently this is an older feature and this command changes the default behavior of terminating TCP sessions so that both the source and destination need to terminate the TCP connection at the same time, instead of sending Fin/Ack exchanges in the way it's normally done Cisco Site to Site VPN Dropping Connections? Try this Jun 06, 2017 sysopt connection permit-vpn. : Cisco Now I want to verify the "sysopt connection permit-vpn" command allows the VPN traffic in/ out regardless of the ACL's, is that correct? Now I am using the global acl and I want to filter the traffic on the l2l tunnel. What is the best practices or a better way to filter the l2l traffic using the "vpn-filter" or by modifying the default