Sorry for the confusion I have DMVPN tunnels and here are my routes

ip route 0.0.0.0 0.0.0.0 173.165.198.126
ip route 10.5.1.0 255.255.255.0 11.11.11.2
ip route 10.6.1.0 255.255.255.0 11.11.11.3
ip route 172.20.2.0 255.255.255.0 11.11.11.3
ip route 192.168.10.0 255.255.255.0 11.11.11.3
ip route 192.168.12.0 255.255.255.0 11.11.11.2

and here is the tunnel config

interface Tunnel0
 description $FW_INSIDE$
 bandwidth 100000
 ip address 11.11.11.1 255.255.255.0
 ip access-group 107 in
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 100
 delay 1000
 tunnel source FastEthernet1
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile CiscoCP_Profile2

Hi Richard,

Please let me know if you need more information to help find a solution. I appreciate your help.

Thanks,

Marley 

Marley

I wonder if the issue is due to asymmetric path where packet from remote arrives on the new fiber interface and the response is sent using the existing broadband interface. I wonder if it would help to configure Policy Based Routing and set it up that DMVPN traffic had a next hop that was out the new fiber interface.

HTH

Rick 

I have tried  policy based routing I created the following

interface Vlan100
 ip address 192.168.1.1 255.255.255.0
 ip policy route-map test

and
route-map test permit 10
 match ip address 120
 set ip next-hop x.x.x.x

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

and when I do a ping to 4.2.2.2 from vlan100 interface no reply.

Also when I do a ping from the fiber interface to 4.2.2.2 I get no reply.

I am a little confused as to why the ping from the fiber interface to the outside world does not get a reply.

I have plugged in my laptop to the fiber connection and was able to surf the internet.

Thanks,

Marley

Marley

The config for PBR looks ok to me. It does occur to me to wonder when you are attempting to ping using the new fiber interface whether you have configured address translation for that traffic? When you are using DMVPN you would not need to translate that traffic. But especially for a ping from 192.168.1.? to a public address would need translation.

Am I understanding correctly that from a command prompt on the router you tried a ping to 4.2.2.2 and it did not work? How did you make sure that the ping used the fiber interface as its outbound interface? Are you able to ping from the command prompt on the router to the next hop address for the fiber interface?

HTH

Rick

I don't have nat on the fiber or vlan 100 interface I am just trying to ping 4.2.2.2 as the outside world. I am using the ping command with extended commands and using the fiber interface as the source address, I am assuming that would force thru the fiber connection.  I get no reply from 4.2.2.2. I can ping the next hop of the fiber.

I have also used ping with extended and set vlan100 as the source with PBR nad no reply from 4.2.2.2

I will try setting up nat.

Thanks,

Marley 

Marley

I would suggest a test about the ping. Configure a static route for the specific host 4.2.2.2 with the fiber interface next hop and then try your ping again. It would also be interesting to try an extended traceroute to 4.2.2.2 specifying the fiber address as the source and see if it tells us how the traffic exits the router.

Can you tell me how you set up PBR when you tried to use PBR on your ping traffic? Having PBR configured on interface vlan 100 and using vlan 100 as the source will not get PBR to control that traffic. To control traffic that is generated from the router itself you need local PBR and not the interface based PBR.

If you do set up nat for the fiber interface you will want to exempt the DMVPN traffic from translation but to translate traffic that is not DMVPN.

HTH

Rick

 Hi Rick,

I wanted to come back to this to let you know I ended up keeping the router and the ASA. I am using the router to keep DMPVPN on the fiber connection since DMPVPN it is not supported on the ASA and using the ASA for internet connection.

Thank you for trying to help me.

Marley

Marley

Thank you for the update. I am glad that you have got it working. Using the router for DMVPN and the ASA for Internet sounds like a reasonable solution.

HTH

Rick