An alternate way which is similar but does not involve proxy arp:
access-list nonatinside permit ip 192.168.0.0 255.255.0.0 VPNCLIENTS 255.255.255.0
nat (inside) 0 access-list nonatinside
> now my question - what are the correct acls' to allow my internal network to communicate with my vpn box
The answer is also a question - what is your VPN network policy?
A general rule is - only allow the minimal traffic you need.
You have used a dedicated interface at the pix which can give you better control over VPN traffic, but if you simply permit all traffic between VPN and LAN, then it is almost the same as placing the VPN server on the inside LAN. Isn't it?
So, if the VPN users need access to a specific server only, then you can use:
access-list vpn_access_in permit ip VPNCLIENTS 255.255.255.0 host INTERNAL SERVER
And add fine tunning and access control at the 3015 VPN server.
> access-list inside_access_in permit tcp any host 192.168.200.2
No need for this, because VPN clients typically initiate the connection to the internal server(s), but the internal server(s) normally do not initiate sessions to the VPN clients.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...