I currently have a 3825 Router that has approx. 160 GRE/IPSEC tunnels connected and am trying to set up DMVPN to simplify the config and allow me to get rid of the static address at all my remote locations but I've run into a routing problem.
Physically my VPN Router connects to a Catalyst 4506. My edge router (to internet) is another 3800 series that also connects to the switch. On my VPN Router I have an IP I use to route traffic internally and another IP to route traffic externally through the edge router. My default route points to the internal address. I then have a static route for each remote location I'm currently tunneling too. The reason it's setup this way is because we use ISA to control the traffic on our network, both at HQ and our remote locations (at the remote locations the default route sends all traffic through the tunnel).
So, the problem I have is this: DMVPN uses NHRP to learn the dynamically assigned addresses of the remote locations. This IP is sent to my VPN Router's public IP but when the router try's to reply, the default route dumps the reply onto my internal network and the tunnel doesn't come up. Using 'SHOW IP NHRP' looks good on the remote router but has no information on the VPN Router when this occurs. Knowing what the remote IP is and setting up a static route to send that IP out the external interface resolves the issue but this isn't possible without static addresses on the remote end.
My initial thought was to set my default route on my VPN Router to the external address and set static routes for my internal traffic. This fixes the NHRP issue and the tunnels come up, but it breaks ISA. Any traffic bound for external addresses (WEB, etc.) coming across tunnels from remote locations now get's sent out the external interface to the internet by the default route rather than internally so I lose my ability to control it with ISA.
Any ideas how to fix this issue without breaking ISA? Is there any way to dynamically create a route for the address provided by NHRP pointing it out the external interface so that my default route can continue to point internally? Or is there a way to route all traffic crossing the tunnels onto the internal network regardless of what type of traffic it is or where its destined (internal or web)?
Thanks in advance for any help you can provide!