First time post, hope this question is in the correct location.

Have configured a 2821 successfully to accept VPN connections from clients. They log in, have access to the internal network (192.168.252.0/24), so no problem there. They just simply cannot get back out on the Internet and I would prefer disallowing split tunneling. Rather, they can access my internal work network via VPN and then route out my network and also browse the Internet; i.e. force them back out through Gi0/0 and make them have one of our external facing IP addresses. Our viable outside addresses consist of a /25 block, starting with 64.244.xx.1 up to .127.

Since users connect on Gi0/0 for VPN access or to 64.244.xx.2, I was wondering if it were possible to force them back out this same port for Internet connectivity?

I have tried giving them an IP in the 172.16.11.0/27 block and then NAT'ing that connection out, but to no avail. I'd rather prefer setting aside some IPs in the outside block or 64.244.xx.x subnet and have it appear they originate from .92 through .127.

We also have a collocation facility elsewhere. By forcing them to use our outside IP addresses, I can make them appear to be coming from my office network and can firewall all other users, thereby allowing only my users in.

Is what I am asking here even possible without enabling VPN split tunneling?

Am including my current config. Any suggestions are appreciated and welcome.

Thanks much. Happy to provide any additional information.