Thanks, and do I just apply the policy to the outside interface (and yes this is an ASA)... or is there a way to apply to the crypto map?

There is no way to apply it to crypto map.

I believe the proper place to apply it is "global" policy rather then per interface.

Here's a decent configuration example:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html#wp1088544

Marcin

Thanks, If you do apply it to an interface, will this disable the global policy, or just work alongside it (with the interface policy being looked at first?)

They will work alongside each other.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/mpf.html

Service Policy Guidelines

•Interface service policies take  precedence over the global service policy for a given feature. For  example, if you have a global policy with FTP inspection, and an  interface policy with TCP normalization, then both FTP inspection and  TCP normalization are applied to the interface. However, if you have a  global policy with FTP inspection, and an interface policy with FTP  inspection, then only the interface policy FTP inspection is applied to  that interface.

•You can only apply one global policy.  For example, you cannot create a global policy that includes feature set  1, and a separate global policy that includes feature set 2. All  features must be included in a single policy.

Also.. am I correct in assuming that VPN peers (site-2-site) are still subject to the default global policy?

Yes, as far as I'm aware MPF is agnostic if traffic belongs to VPN, only expcetion being QoS configuration where you have "match tunnel-group" command.