This filter put a little twist into my powers of reasoning but I finally figured it out.
In our example, a Cisco ASA 5510 is serving as a VPN concentrator to which we have built a LAN to LAN IPSEC Tunnel from a customer peer (192.168.103.41). Basically, a host on the customer end (192.168.48.130) transfers files over the NDM protocol (tcp/1364) to our server (10.122.52.12) and sometimes our server (10.122.52.12) has to do the same to their server.
Summary of traffic over the tunnel:
192.168.48.130 --> 10.122.52.12 (tcp/1364)
10.122.52.12 --> 192.168.48.130(tcp/1364)
Our aim is to build the VPN tunnel when traffic between the two servers is present but limit the traffic to just the NDM protocol.
1. First you want the VPN traffic to bypass the filter you have on the interface that the tunnel terminates because we don't want another filter for this traffic. In our case this is the 'untrust' interface. Use this command:
sysopt connection permit-vpn
2. Now define the encryption domain for the tunnel and the Phase 1 (ISAKMP) and Phase 2 (IPSEC) parameters. Whenever, the ASA 'sees' this traffic, it will start the process of bringing up the VPN tunnel.
access-list kis1-vpn-traffic line 1 extended permit ip host 10.122.52.12 host 192.168.48.130
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map untrust_map 10 match address kis1-vpn-traffic
crypto map untrust_map 10 set peer 192.168.103.41
crypto map untrust_map 10 set transform-set ESP-3DES-SHA
crypto map untrust_map 10 set security-association lifetime seconds 28800
crypto map untrust_map 10 set security-association lifetime kilobytes 4608000
crypto map untrust_map interface untrust
crypto isakmp identity address
crypto isakmp enable untrust
crypto isakmp policy 10
3. With code 7.x on, you need to define tunnel group parameters first before the IPSEC tunnel will establish. This is where you define the pre-shared key and the filter that acts on the traffic within this tunnel
access-list kis1-vpn-filter line 1 extended permit tcp host 192.168.48.130 eq 1364 host 10.122.52.12
access-list kis1-vpn-filter line 2 extended permit tcp host 192.168.48.130 host 10.122.52.12 eq 1364
group-policy kis1-group-policy internal
group-policy kis1-group-policy attributes
vpn-filter value kis1-vpn-filter
tunnel-group 192.168.103.41 type ipsec-l2l
tunnel-group 192.168.103.41 general-attributes
tunnel-group 192.168.103.41 ipsec-attributes
4. Now let's take a closer look at the filter 'kis1-vpn-filter'. It has the familiar format where in this case, the source address is the far end address (customer host), while the destination address is the local host (10.122.52.12). Line 2 is very logical - it is allowing their host (192.168.48.130) to send traffic to our host (10.122.52.12) on tcp/1364. Nothing wrong here.
The confusion arrives in Line 1. This line permits the local host to send traffic to their host on tcp/1364! So it appears that the filter does not act on the traffic leaving the local host to the remote host, but acts on the return traffic only. Without this you will not make a connection from your local host to the remote host. Seems easy now... :o)