I am configuring a set of remote worker routers (871s & 1811Ws) that run DMVPN and I am running into an issue when it comes to separating the home and work sides of the router.

Basics:

Routes for internal networks are obtained from EIGRP through the DMVPN connection (Tu0).

The default route for all internet access is obtained from the Cable/DSL provider through DHCP.

The company router is plugged directly into the cable/dsl modem through Fa0.

The employee is allowed to plug a wireless router/home pc into Fa4.

The “Work”, “Home”, and “Outside” networks are separated by the zone-based firewall. The “Home” and “Work” networks are not allowed to communicate with each other.

Problem:

Because the routing table is shared, the systems on the Home side of the router try to access any public company addresses through the DMVPN tunnel, but are blocked by the FW. To try to solve this, I implemented VRF-lite to separate the routing tables.

This fixed the original issue, but now systems on the Work side of the router (in VRF “WORK”) cannot access anything on the internet because there is not a default route. All internet traffic needs to leave the router through the Fa0 interface and not be tunneled through DMVPN. The router will not allow me to set “ip route vrf WORK 0.0.0.0 0.0.0.0 Fa0” and gives me the error “For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface”.

Is there any way to get this default route into the VRF?