Why cant he leave his acl for the crypto map alone and simply apply the relevant access list on the interface to restrict specific entries? Will this affect his vpn (don't think so) ? Regards, Mario