Looks (as far as I understand your setup) quite reasonable.
You wouldn't need to be as specific with the access-lists, you can summarize src and dst to an extend so that they wouldn't collide with any other nat(0) or crypto policy.
I would use a single line with a shorter mask for both src and dst, something like
access-list ezvpn extended permit ip any 172.30.201.0 255.255.255.224
As far as I remember an ezvpn client will set its remote ident to 0.0.0.0/0.0.0.0/0/0 and its local ident to the local LAN unless you configure split tunneling. If you specify the local ident on the ezvpn server with a /31 mask the incoming phase2 proposal from the ezvpn client will be denied.
If want to do filtering you should use access-lists instead of overly detailed crypto policies.
The incoming proposals from the ezvpn clients will produce dynamic, more specific ipsec SAs when an incoming proposal matches (both src and dst fall within ip/mask). But the match address will prohibit that the remote access vpn connections would match on sequence number 65534, instead the next sequence will be tried...
Just another thing, where did you configer the ezvpn server on the client, couldn't see that in you config.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...