Hi all

I was trying to apply an access-list to a dynamic-map so that I could restric access from remote VPN users.

access-list restrictvpn permit tcp x.x.x.x x.x.x.x host x.x.x.x eq x

crypto map dynamic-map mobile 5 match address restrictvpn

The VPN worked fine before issuing this command but would not work after applying the ACL. The first time you attempted to connect it would prompt for authentication details and then just hang on "contacting securityu gateway". If you cancelled the connection and retried the connect it would bypass authentication and hang on "securing communications"

As you can see the acl is nailed down to a specific port and when you apply it to the dynamic map it sends a message saying "ACL has port selectors this may cause performance issues"

I cannot strip off sysopt connection permit-ipsec becuase they have a site to site VPN where the remote private network is an illegally assigned public range which means I would potentially open up access to a remote network.

I have tried restricting the VPN with a split-tunnel ACL but this ignores the port selectors and lets through all traffic to the host.

Any suggestions?