Hi,

You have an access-list acl_out that allows any host to access your inside hosts with TCP. So you don't have any tcp protocol restriction.

access-list acl_out permit tcp any host x.y.3.54

access-list acl_out permit tcp any host x.y.3.53

static (inside,outside) X.X.X.X 192.168.0.2 netmask 255.255.255

static (inside,outside) X.X.X.X 192.168.0.83 netmask 255.255.25

Solution: You just have to create an access-list that filtere more specific.

example:

access-list acl-out permit udp any host MyPublicIPVPN eq isakmp

access-list acl-out permit esp any host MyPublicIPVPN

access-list acl-out permit ah any host MyPublicIPVPN

access-list acl_out permit tcp any host x.y.3.54 eq 80

access-list acl_out permit tcp any host x.y.3.54 eq 25

access-list acl_out permit tcp any host x.y.3.53 eq www

access-list acl_out permit tcp any host x.y.3.53 eq 25

The first 3 lines are for VPN, it allows all VPN Client to connect, the other 4 that follows are examples for smtp and www access-lists.

sincerly

Patrick