07-13-2015 06:32 PM - edited 03-01-2019 04:51 AM
I'm looking for guidance implementing Internet connectivity for a host within an EPG out to the Internet by way of an ASA. I am implementing a service provider model with a customer per tenant, an ASA firewall per tenant, and and a shared Internet edge router.
Customer host(s) are configured in an EPG inside the customer's tenant.
The Internet routers, dual ASRs, are connected to the fabric on one set of interfaces and out to the Internet via another set of interfaces. In other words only the inside interfaces of the Internet routers are connected to the fabric. I have successfully built a L3 Out to these ASRs using an SVI on the fabric. OSPF comes up, the APIC exchanges routes with the ASRs, and I can ping back in forth. It's the ASA insertion where it all goes wrong.
My servers are in private IP address space, so I need to NAT on the way out to the Internet.
The IP addresses used to NAT each customer are different than the subnet on the outside of my Internet router. I would like to use something like a loopback to be able to NAT using a /30 per tenant/customer.
Each customer's ASA is a single ASA connected to two leaf nodes via a VPC.
Questions:
Should I configure the ASA in transparent mode or routed mode?
If transparent, has anyone successfully implemented NAT on the ASA in transparent mode? Would I implement the ASR as a Layer 3 Out and then insert the ASA with a service graph on the contract between the layer 3 out EPG and the server EPG?
If routed mode, do I use two layer 3 outs from the same VRF/private network? One for the ASA and one for the ASR?
If anyone has successfully implemented this use case can you share a high level summary of how you stitched it together?
08-24-2015 06:11 AM
Hi Chris,
The scenario you're describing should be possible. The ASA supports NAT in both routed and transparent mode. One advantage of using routed mode is that you can NAT the internal hosts to the outside interface of the ASA firewall.
A high-level summary of the configuration would be:
Note that the ASA device package does not currently support NAT. You can either forego device package integration for the ASA or use device package integration and manually manage the NAT configuration on the ASA outside of the APIC.
09-20-2016 03:12 AM
Hi Zach,
I have seen your comment within 1 year about the ACI Internet connectivity use case and we need your help and assistance if possible.
we have to host customers behind the ACI fabric. We have to provide the public cloud service to our customers.
Through the public cloud service, we like after creating an ACI tenant for such a customer, the customer will plug in its physical server into the fabric and will have Internet connectivity.
Thanks for finding in the attached Our intended design for the Internet use case.
We have deployed static routing between the managed ASA outside side and ACI fabric and OSPF dynamic routing between the ACI fabric and N7K external device (detailed in the snapshot internet_customer_service) In the ASA firewall side, we have configured a default route pointing to the L3Out IP address implemented in the ACI fabric.
The managed ASA service device will act as the default gateway of hosted servers and will perform the NAT function to translate the customer server private addresses to public addresses.
We have updated the tenant configuration steps. Can you please confirm us these steps?
Configure in Tenant Common
Configure in YOUR Tenant
Regards,
Ahmed
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: