Solved: how to dmvpn and deployment navigation over internet from the firewall

Roberto Casagrande · ‎03-07-2019

Hi to all and thanks for support,

I configured dmvpn with an hub and one spoke but I attached to hub a router with ospf, and I have a firewall connect to the same router.

The hub and spoke has been configured with eigrp.

The dmvpn work fine but I need know:

how to do surfing on internet from spoke to hub and next go through the firewall?

I have the route 0.0.0.0 0.0.0.0 to gateway into the hub for create the dmvpn with spoke that not have fixed ip address.

The spoke kwon the network and the default route. When the PC try to contact a web site in internet for example google.com, the packet when arrived to the HUB not forward to Firewall but go directly to the hub, because in the route table has a defalut route .
I think that I must use dmvpn with VRF-lite.
I attached a slide for describe the situation.
Thanks a lot for help.

pigallo · ‎03-07-2019

@Roberto Casagrande wrote:

Hi to all and thanks for support,

I configured dmvpn with an hub and one spoke but I attached to hub a router with ospf, and I have a firewall connect to the same router.

The hub and spoke has been configured with eigrp.

The dmvpn work fine but I need know:

how to do surfing on internet from spoke to hub and next go through the firewall?

I have the route 0.0.0.0 0.0.0.0 to gateway into the hub for create the dmvpn with spoke that not have fixed ip address.

The spoke kwon the network and the default route. When the PC try to contact a web site in internet for example google.com, the packet when arrived to the HUB not forward to Firewall but go directly to the hub, because in the route table has a defalut route .
I think that I must use dmvpn with VRF-lite.
I attached a slide for describe the situation.
Thanks a lot for help.

Hi Roberto,

in this case, since you have a default route pointing to the internet, any prefix that can't be resolved to a longest match will be delivered through a default route, that's why your traffic cannot proceed towards the firewall.
Long story short, just configure a new VRF and assign the hub tunnel to this VRF.
Then configure the segment to the firewall within the same VRF configured on the tunnel.

If other LAN segments on the hub router will use the uplink to the firewall make sure you also include these segment into that VRF or configure two distinct subifs to make sure you can split the two different traffic services (Global/VRF based).
After this step configure a new default route within that vrf towards the FW and you should see traffic flowing correctly on the desired path.

View solution in original post

pigallo · ‎03-07-2019

@Roberto Casagrande wrote:

Hi to all and thanks for support,

I configured dmvpn with an hub and one spoke but I attached to hub a router with ospf, and I have a firewall connect to the same router.

The hub and spoke has been configured with eigrp.

The dmvpn work fine but I need know:

how to do surfing on internet from spoke to hub and next go through the firewall?

I have the route 0.0.0.0 0.0.0.0 to gateway into the hub for create the dmvpn with spoke that not have fixed ip address.

The spoke kwon the network and the default route. When the PC try to contact a web site in internet for example google.com, the packet when arrived to the HUB not forward to Firewall but go directly to the hub, because in the route table has a defalut route .
I think that I must use dmvpn with VRF-lite.
I attached a slide for describe the situation.
Thanks a lot for help.

Hi Roberto,

in this case, since you have a default route pointing to the internet, any prefix that can't be resolved to a longest match will be delivered through a default route, that's why your traffic cannot proceed towards the firewall.
Long story short, just configure a new VRF and assign the hub tunnel to this VRF.
Then configure the segment to the firewall within the same VRF configured on the tunnel.

If other LAN segments on the hub router will use the uplink to the firewall make sure you also include these segment into that VRF or configure two distinct subifs to make sure you can split the two different traffic services (Global/VRF based).
After this step configure a new default route within that vrf towards the FW and you should see traffic flowing correctly on the desired path.