I am running DMVPN using GRE over IPSec using multiple routers. I have two groups of users behind one of the spoke locations, guest and corporate users. I want the guest users to split tunnel out but the corporate users I want to route ALL traffic back to the home office. That way I can filter corporate internet traffic through Websense. Attached is a spoke config. I have tried using route-maps but not been successful. Any help would be fantastic.
Do you want default route coming in from DMVPN HUB or statically routed to the outside?
(you could have both by the way - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03.html )
to answer your question, you need to use policy based routing (PBR) to route based on source IP
Your default currently points to the Internet. Configure "ip policy route-map PBR" on private LAN interface, and then configure the route-map matching ACL with private source subnet with any destination and "set ip next-hop" to the remote DMVPN tunnel IP.
ip access-list extended PBR
permit ip 10.42.59.0 0.0.0.255 any
route-map PBR permit 10
match ip address PBR
set ip next-hop 172.16.16.1
no ip nat inside
ip policy route-map PBR
Otherwise, if default route is coming from DMVPN tunnel, configure "ip policy route-map PBR" on public LAN interface, and then configure the route-map matching the public source subnet with any destination and "set ip next-hop" to the Internet ISP's address. Your NAT configuration already looks good.
If you use default coming from DMVPN tunnel, don't forget to configure a route for DMVPN HUB's public IP address to route to ISP.