cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
341
Views
0
Helpful
4
Replies

DMVPN Routing Issue

billwclark
Level 1
Level 1

I currently have a 3825 Router that has approx. 160 GRE/IPSEC tunnels connected and am trying to set up DMVPN to simplify the config and allow me to get rid of the static address at all my remote locations but I've run into a routing problem.

Physically my VPN Router connects to a Catalyst 4506. My edge router (to internet) is another 3800 series that also connects to the switch. On my VPN Router I have an IP I use to route traffic internally and another IP to route traffic externally through the edge router. My default route points to the internal address. I then have a static route for each remote location I'm currently tunneling too. The reason it's setup this way is because we use ISA to control the traffic on our network, both at HQ and our remote locations (at the remote locations the default route sends all traffic through the tunnel).

So, the problem I have is this: DMVPN uses NHRP to learn the dynamically assigned addresses of the remote locations. This IP is sent to my VPN Router's public IP but when the router try's to reply, the default route dumps the reply onto my internal network and the tunnel doesn't come up. Using 'SHOW IP NHRP' looks good on the remote router but has no information on the VPN Router when this occurs. Knowing what the remote IP is and setting up a static route to send that IP out the external interface resolves the issue but this isn't possible without static addresses on the remote end.

My initial thought was to set my default route on my VPN Router to the external address and set static routes for my internal traffic. This fixes the NHRP issue and the tunnels come up, but it breaks ISA. Any traffic bound for external addresses (WEB, etc.) coming across tunnels from remote locations now get's sent out the external interface to the internet by the default route rather than internally so I lose my ability to control it with ISA.

Any ideas how to fix this issue without breaking ISA? Is there any way to dynamically create a route for the address provided by NHRP pointing it out the external interface so that my default route can continue to point internally? Or is there a way to route all traffic crossing the tunnels onto the internal network regardless of what type of traffic it is or where its destined (internal or web)?

Thanks in advance for any help you can provide!

4 Replies 4

lamav
Level 8
Level 8

Hi, Bill:

I have to say, I dont think there is any way around having your VPN default to the Internet? Creating static routes for each tunnel is really not a good solution when it comes to scalability and management. Everytime you install a new spoke, you're going to have to create a static on the VPN router? nah....

There is also no way to have the router create routes dynamically from thin air.

Can you elaborate more on this ISA appliance? isnt it a Microsoft product that acts as a web cache/proxy and Internet firewall? What are you using it for?

Victor

Laurent Aubert
Cisco Employee
Cisco Employee

Hi,

Using a proxy as suggested is a good solution but you have to reconfigure all your remote hosts..

You could also try Policy Based Routing on the DMVPN hub and setting the ISA as the next-hop. You apply the route-map on the mGRE interface. Be aware it will impact the performance of the router.

HTH

Laurent.

Thanks for the replies, policy based routing sounds like what I need. If I understand it correctly the following should do what I want…

ip route 0.0.0.0 0.0.0.0

access-list 111 remark map tunnel traffic to internal

access-list 111 permit ip 192.168.0.0 0.0.255.255 any

route-map IntNet permit 10

match ip address 111

set ip next-hop

interface Tunnel0

ip policy route-map IntNet

So the above changes should default all traffic out the external interface so my mGRE tunnels will now come up properly. My remote networks are all 192.168.x.x so the route-map should send all traffic sourced on those networks to my internal network. Right? I'm not too worried about performance, I'm using a 3825 and have less than 200 tunnels on it and traffic from my remote sites is generally fairly small.

Thanks again for all your help!

Yes your configuration should work but you should test it first in your lab to be sure there is no unexpected side effect.

Thanks

Laurent.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: