Security-wise you should stick to the plan having your intranet as a different zone than the vpn users. NAT is not an issue, you can allocate an other address space for them, e.g. 192.168.51.0/24 and route between these two subnets. Do not apply any NAT on these 2 interfaces.
If you desperately want to bridge them, remove the IP addresses from interface VPN99, then try to bridge it with ETH00 and finally apply the IP on the BRIDGE00 interface.