We are removing our legacy VPN concentrators and are using the ASA firewalls as the VPN enpoints for Remote/Eazy/L2L VPN access. Our policy is to allow full tunneling for the end users back to the corporate office, so they have Internet access with restricted outbound port level access. This was setup on the concentrator via the tunnel route feature, on the ASA we wouldn't need this because I intend to have the traffic route back out the way it came in on the outside interface. I've tested this out in the LAB and had it working. I have a few questions and concerns on how I had this to work.
1. Enabled NAT outside for the remote VPN subnet - Any security concerns by doing this?
2. Enabled same-security-traffic permit intra-interface - Any security concerns by doing this?
3. How do I restrict the outbound Internet access from the Remote VPN subnet since the inside acl policy is bound to the inside interface???? The NAT is occurring on the outside interface for the Remote VPN subnet, applying an access-list out here would not work because the acl out only works after it has gone thru NAT, this would not help me out at all.