Cisco VSG and ASA 1000v integration/design

Answered Question
Oct 17th, 2012
User Badges:

Hello Guys,

I found an interesting vPath behavior in VSG with ASA 1000v deployement on ESXi cluster.

ASA 1000v have 2 interfaces only for data (Inside and Outside).

When you want to enable the vPath for the ASA, you should apply vservice node type asa on the port-profile of your virtual machines, when you do this step, you lose the VSG policy for those virtual machines.

I decided to create 3 port-profiles, 2 for virtual machines (to send some to VSG and some for ASA 1000v), and 1 port-profile for ASA inside interface, when I apply the vservice command under ASA inside port-profile, the ASA doesn't permit the traffic proprly with the defined policies (although the ASA is able to ping and receive icmp from the VMs).

I appreciate if someone can clarify this point or have some insight on this subject.

Kind Regards

Mohammed Khair

Correct Answer by Vinod Kataria about 4 years 8 months ago

You need to use vpath service chaining if you want to use VSG/ASA together. Below link has information about the service chaining:



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)


This Discussion