04-03-2009 02:44 PM - edited 03-04-2019 04:14 AM
I currently have a 3825 Router that has approx. 160 GRE/IPSEC tunnels connected and am trying to set up DMVPN to simplify the config and allow me to get rid of the static address at all my remote locations but I've run into a routing problem.
Physically my VPN Router connects to a Catalyst 4506. My edge router (to internet) is another 3800 series that also connects to the switch. On my VPN Router I have an IP I use to route traffic internally and another IP to route traffic externally through the edge router. My default route points to the internal address. I then have a static route for each remote location I'm currently tunneling too. The reason it's setup this way is because we use ISA to control the traffic on our network, both at HQ and our remote locations (at the remote locations the default route sends all traffic through the tunnel).
So, the problem I have is this: DMVPN uses NHRP to learn the dynamically assigned addresses of the remote locations. This IP is sent to my VPN Router's public IP but when the router try's to reply, the default route dumps the reply onto my internal network and the tunnel doesn't come up. Using 'SHOW IP NHRP' looks good on the remote router but has no information on the VPN Router when this occurs. Knowing what the remote IP is and setting up a static route to send that IP out the external interface resolves the issue but this isn't possible without static addresses on the remote end.
My initial thought was to set my default route on my VPN Router to the external address and set static routes for my internal traffic. This fixes the NHRP issue and the tunnels come up, but it breaks ISA. Any traffic bound for external addresses (WEB, etc.) coming across tunnels from remote locations now get's sent out the external interface to the internet by the default route rather than internally so I lose my ability to control it with ISA.
Any ideas how to fix this issue without breaking ISA? Is there any way to dynamically create a route for the address provided by NHRP pointing it out the external interface so that my default route can continue to point internally? Or is there a way to route all traffic crossing the tunnels onto the internal network regardless of what type of traffic it is or where its destined (internal or web)?
Thanks in advance for any help you can provide!
04-03-2009 03:39 PM
Hi, Bill:
I have to say, I dont think there is any way around having your VPN default to the Internet? Creating static routes for each tunnel is really not a good solution when it comes to scalability and management. Everytime you install a new spoke, you're going to have to create a static on the VPN router? nah....
There is also no way to have the router create routes dynamically from thin air.
Can you elaborate more on this ISA appliance? isnt it a Microsoft product that acts as a web cache/proxy and Internet firewall? What are you using it for?
Victor
04-03-2009 06:41 PM
Hi,
Using a proxy as suggested is a good solution but you have to reconfigure all your remote hosts..
You could also try Policy Based Routing on the DMVPN hub and setting the ISA as the next-hop. You apply the route-map on the mGRE interface. Be aware it will impact the performance of the router.
HTH
Laurent.
04-07-2009 07:28 AM
Thanks for the replies, policy based routing sounds like what I need. If I understand it correctly the following should do what I wantâ¦
ip route 0.0.0.0 0.0.0.0
access-list 111 remark map tunnel traffic to internal
access-list 111 permit ip 192.168.0.0 0.0.255.255 any
route-map IntNet permit 10
match ip address 111
set ip next-hop
interface Tunnel0
ip policy route-map IntNet
So the above changes should default all traffic out the external interface so my mGRE tunnels will now come up properly. My remote networks are all 192.168.x.x so the route-map should send all traffic sourced on those networks to my internal network. Right? I'm not too worried about performance, I'm using a 3825 and have less than 200 tunnels on it and traffic from my remote sites is generally fairly small.
Thanks again for all your help!
04-07-2009 11:23 AM
Yes your configuration should work but you should test it first in your lab to be sure there is no unexpected side effect.
Thanks
Laurent.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide