Hi John, let me try to answer your quesitons:
1. Enabled NAT outside for the remote VPN subnet - Any security concerns by doing this?
2. Enabled same-security-traffic permit intra-interface - Any security concerns by doing this?
- Both of this will have the security concern that a normal host going out to the internet will have, of course, controlling the access to internet which can be done via vpn filters might help by making sure that the only allowed ports/hosts are permitted to go thru.
The security concerns that I might see here are more relevant to the host accessing the internet rather than the platform (ASA) itself AFAIK there are no issues on the platform whith this kind of configuration.
3. How do I restrict the outbound Internet access from the Remote VPN subnet since the inside acl policy is bound to the inside interface???? The NAT is occurring on the outside interface for the Remote VPN subnet, applying an access-list out here would not work because the acl out only works after it has gone thru NAT, this would not help me out at all.
- In this you can use vpn filters, check the link below, just bare in mind that this filters are based on IP and TCP/UDP ports and cannot use dns names to restrict traffic through.
https://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml
hth
Ivan