I created an Ipsec tunnel with Nat-Transversal between our Lan and a remote server (called here remote_vpn) to access Internet .
The Pcs behind the dmz interface use Dhcp (in the network range called dmz-network here) and go to Internet by using the Ipsec tunnel.
The tunnel is working most of time but when the tunnel goes down (due to remote server issue), Pcs don't have Internet access at all although they can use direct Internet access (without going through the ipsec tunnel) . Here is the nat rules i use to allow pc in the dmz_network range to go through the tunnel
ciscoasa1# sh run nat
nat (dmz,outside) source dynamic dmz-network remote_vpn interface destination static remote_vpn remote_vpn
To allow access when ipsec is down i add manually the rule below.
But when i add this nat rule below (in section 3) after the nat used for vpn above (section 1)
all the traffic goes directly to internet and doesn't go through IPsec tunnel when he is up again .
Section 3 Pat rule:
nat (dmz,outside) after-auto source dynamic dmz-network interface
I would like that the Pc go to internet directly when the tunnel is down and then use the tunnel to go to internet when the tunnel is up again.
Thanks in advance