Hi Francesco,

   Thank you for the rapid reply. What I would like is for all spokes to access the Internet through the firewall (via the hub). I do not want the hub router or spoke routers to ever access the internet directly, under any circumstances - except to setup their GRE /IPSEC tunnels between the locations (I don't know if it matters, but this is a Phase two deployment, with no plans to make it a phase three).

   Okay so NBMA interface being on a different vrf than the tunnel is cool? Basically I could say ip route 0.0.0.0 out the physical interface, but then have the tunnel in vrf "x" which I would then say ip route vrf "x" 0.0.0.0 to firewall? So that plus the local interfaces behind the routers would just be part of vrf "x"?

Your wan interface had public ip (it'll be used to build up all vpn tunnels + for internet access). This interface will stay in the global routing like the actual interface between your hub and firewall. 

The tunnel interface will be in a vrf and the new interconnection subnet between hub and firewall will be part of this vrf (this new interconnection could be a new physical or logical interface). 

In terms of routing, in the global routing, your default route will go to your isp. In the vrf, the default route will point to your firewall. 

When a spoke tries to reach internet, it will arrive to the hub through the tunnel interface in a vrf, the routing table of that vrf will forward the packet to your firewall through the new interconnection subnet and then the firewall will forward back the packet to the hub through the global routing. 

Yes on the vrf it'll be 

Ip route vrf dmvpn 0.0.0.0 0.0.0.0 fw_new_subnet_vrf

Thanks 

PS : Please don't forget to rate and mark as correct answer if this answered your question 

Okay, so in the hub router In have a default vrf point to an IP Address (the firewall) that is found by going through an interface not in the vrf table?

IE interface g0, subnet "a", connected to firewall is part of default vrf, but I can tell vrf "x" to route all traffic towards an IP found off of g0's interface?

You can keep only 1 interface on the firewall and do some route leaking, like you said on your vrf table it will be route to a physical interface but in that case the traffic will enter and exit the sane interface. You can have some issues with your firewall. 

Let's say today you've g0/0 on your hub facing the firewall g0/0.

You can keep as is this interface on the global routing and add g0/1 on hub to g0/1 on the firewall and this subnet will be in the dmvpn vrf. 

Or you can have only g0/0 on both side and create subinterfaces like :

G0/0.1 on both sides for global routing (all replace the actual g0/0) and g0/0.2 for vrf. 

Is it more clear? 

I'm sorry I'm on my cell phone right now and can't do a quick sketch to show you. 

Thanks 

Hey Francesco,

I may have missed the mark between firewall and hub router. After rereading what you wrote previously I think I've got it. The Hub has its connection to the firewall plus the tunnel interface in the same vrf. The physical NBMA /ISP interface is globally routed. On the spoke side the tunnel and local subnets are in the same vrf, with the NBMA / ISP physical interface part of the global table.

The firewall would then only require a summary route that covers the addressing for all subnets and connections in the various spoke vrf interfaces, eg ip route 10.50.0.0 /16 to the Hub interface (the vrf and tunnel interfaces will run an IGRP for specific forwarding).

Please let me know if this sounds basically right to you. If I could trouble you with one more question: on the NBMA / ISP interfaces is it enough to only permit GRE via ACL, or would I also need to cover 50-51 and UDP 500?

Hey Francesco,

     I'm sorry for the long delay in my response. I had trouble freeing up some resources for a full test with your recommendations. The VRF interfaces, tunnel sourcing, and global default route solution works perfectly. Thanks so much!

Hey 

You're very welcome