Skip to content

ACI Firewall Configuration Example - Routed Firewall without using separate service bridge domains

Estimated time to read: 7 minutes

  • Originally Written: October, 2022

Info

This post uses the Nexus as Code (NaC) project which makes it very easy to configure ACI fabrics through a YAML file . More details and examples can be found at https://developer.cisco.com/docs/nexus-as-code/#!aci-introduction

Example scenario

  • ACI PBR from a client EPG through an ASAv to a server EPG
  • ASAv is configured in routed mode
  • The ASAv interfaces (to-client/to-server) are in the same BDs as the client and server VMs

Configuration

Note

The ACI configuration below is assuming the vCenter integration (VMM, VLAN pool, and AAEP) has already been setup

Nexus as Code

Configuration 
---
apic:
  tenants:
    - name: conmurph-asa-demo

      vrfs:
        - name: production

      bridge_domains:
        - name: 192.168.10.0
          vrf: production
          subnets:
          - ip: 192.168.10.254/24
        - name: 192.168.20.0
          vrf: production
          subnets:
          - ip: 192.168.20.254/24


      application_profiles:
        - name: asa-demo
          endpoint_groups:
            - name: client
              bridge_domain: 192.168.10.0
              contracts:
                consumers:
                  - dev-web-db
              vmware_vmm_domains:
                - name: DM_VMM
                  delimiter: '|'
                  deployment_immediacy: immediate
                  resolution_immediacy: immediate
            - name: server
              bridge_domain: 192.168.20.0
              contracts:
                providers:
                  - dev-web-db
              vmware_vmm_domains:
                - name: DM_VMM
                  delimiter: '|'
                  deployment_immediacy: immediate
                  resolution_immediacy: immediate

      filters:
        - name: icmp
          entries:
            - name: icmp
              ethertype: ip
              protocol: icmp
        - name: web
          entries:
            - name: http
              ethertype: ip
              protocol: tcp
              destination_from_port: http
              destination_to_port: http

      contracts:
        - name: dev-web-db
          subjects:
            - name: icmp
              filters:
                - filter: icmp
              service_graph: conmurph-asa-routed
            - name: web
              filters:
                - filter: web

      services:
        l4l7_devices:
          - name: asav
            context_aware: single-Context
            type: VIRTUAL
            vmware_vmm_domain: DM_VMM
            function: GoTo
            managed: false
            service_type: FW
            concrete_devices:
              - name: asav
                vcenter_name: vCenter_Innovation_Lab
                vm_name: conmurph-asav-1-routed-1
                interfaces:
                  - name: client
                    vnic_name: Network adapter 2
                  - name: server
                    vnic_name: Network adapter 3
            logical_interfaces:
              - name: client
                concrete_interfaces:
                  - device: asav
                    interface_name: client
              - name: server
                concrete_interfaces:
                  - device: asav
                    interface_name: server
        redirect_policies:
          - name: client
            l3_destinations:
              - ip: 192.168.10.100
                mac: 00:50:56:93:42:5A
          - name: server
            l3_destinations:
              - ip: 192.168.20.100
                mac: 00:50:56:93:A2:51
        service_graph_templates:
          - name: conmurph-asa-routed
            template_type: FW_ROUTED
            redirect: true
            device:
              tenant: conmurph-asa-demo
              name: asav
        device_selection_policies:
          - contract: dev-web-db
            service_graph_template: conmurph-asa-routed
            consumer:
              l3_destination: true
              redirect_policy:
                name: client
              logical_interface: client
              bridge_domain:
                name: 192.168.10.0
            provider:
              l3_destination: true
              redirect_policy:
                name: server
              logical_interface: server
              bridge_domain:
                name: 192.168.20.0

Client and Server VM Deployment

2 x Ubuntu 20.04 VMs configured with its respective IP address and the gateway of the bridge domain.

  • VM Name: conmurph-asa-client-1
    • IP: 192.168.10.1/24
    • GW: 192.168.10.254/24
  • VM Name: conmurph-asa-server
    • IP: 192.168.20.1/24
    • GW: 192.168.20.254/24

Attach each VM to the port group created in the previous section

  • VM Name: conmurph-asa-demo-client-1
    • Portgroup: conmurph-asa-demo|asa-demo|client
  • VM Name: conmurph-asa-demo-server
    • Portgroup: conmurph-asa-demo|asa-demo|server

From each VM, verify that you can ping the default gateway

  • VM Name: conmurph-asa-demo-client-1
    • GW: 192.168.10.254
  • VM Name: conmurph-asa-demo-server
    • GW: 192.168.20.254

ASAv Deployment

As per the note at the top, this example is assuming you have already configured a VMM, VLAN Pool, and AAEP to connect to your VMware environment. The same VMM, VLAN Pool, AAEP configuration is used to connect the ASAv​​​​​​​.

I followed the same steps shown in this video to deploy the ASAv

https://www.youtube.com/watch?v=JUUk4h22pHA

Edit the VM settings for the ASAv

  • Configure the Management0 interface to allow SSH connectivity
    • In our lab I have DHCP configured to assign an ip to the mgmt0 interface
  • Select standalone mode
  • Select routed mode

Note

The Gigabit0-0 and Gigabit0-1 interfaces will be used to connect to the client and server VMs however these will be configured automatically by ACI so you don't need them to be connected when the ASAv is deployed

Configure the ASAv

Note

This is example configuration to allow traffic to pass and is not production ready. For example, the security level for inside and outside interfaces is the same, and the access lists permit all traffic

Configuration 
conmurph-asav-routed-1# show run
: Serial Number: 9APVW8HMGKK
: Hardware:   ASAv, 2048 MB RAM, CPU Xeon E5 series 2600 MHz
:
ASA Version 9.16(3)19
!
hostname conmurph-asav-routed-1

!
interface GigabitEthernet0/0
nameif outside
security-level 100
ip address 192.168.10.100 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.20.100 255.255.255.0
!
interface Management0/0
no management-only
nameif management
security-level 0
ip address dhcp
!
same-security-traffic permit inter-interface
!
access-list inside_access_out extended permit ip any4 any4
access-group inside_access_out in interface inside
!
access-list outside_access_in extended permit ip any4 any4
access-group outside_access_in in interface outside
!
route management 0.0.0.0 0.0.0.0 10.1.100.254 1
!
: end

Verify

  • Verify that a Deployed Service Graph Instance is showing
  • Verify in the contract section of the client EPG that the dev-web-db contract is showing as consumed
  • Verify in the contract section of the client EPG that the dev-web-db contract is showing as provided​​​​​​​

  • Verify in the http contract subject that the L4-L7 Service Graph is selecting the conmurph-asa-routed policy

  • After a minute you should see the ASAv VM Network Adapter 2 and Network Adapter 3 interfaces updated with new port groups that are created

Resources

Comments