USG2120 Constitutes ipsec with Cisco3845 router, there is no problem if write address of web server only in acl, add a town bureau network segment into acl, access failed.
Constitute another acl, write into network segment of town bureau, constitute a strategy then, as follows:
ipsec policy map1 10 isakmp
security acl 3000
ipsec policy map1 11 isakmp
security acl 3001
apply to interface, problem solved.
Configure several acl rules on board-end, only one rule works, add ip address from town bureau into acl still negative.
Pay attention to the regulation of acl.