- Purple, 4500 points or more
I have a 2900 that's terminating to the main site which has an ASA. The vpn tunnels work fine, but there's a change that we need to make. I was requested to configure nat on the branch router. The branch does some things over the web that are business-related, and if the vpn tunnel goes down, they wouldn't have internet access since I was sending everything over the tunnel.
So, of course after configuring nat, I'm now effectively split tunneling which isn't what I was wanting to do. Has anyone had any experience, if it's even possible, to still send everything over the tunnel even though nat is configured on the router? I can only deny the networks over the tunnel from being natted, but I can't do a "deny all" from being natted because that would defeat the purpose.
One solution that I've thought of is to write an eem script to remove a "deny all" line in nat, so when the vpn tunnel were to go down, the line would be removed and then everything could be natted. Any ideas?