Hi Chris,The scenario you're

chris.gatch1 · ‎07-13-2015

I'm looking for guidance implementing Internet connectivity for a host within an EPG out to the Internet by way of an ASA. I am implementing a service provider model with a customer per tenant, an ASA firewall per tenant, and and a shared Internet edge router.

Customer host(s) are configured in an EPG inside the customer's tenant.

The Internet routers, dual ASRs, are connected to the fabric on one set of interfaces and out to the Internet via another set of interfaces. In other words only the inside interfaces of the Internet routers are connected to the fabric. I have successfully built a L3 Out to these ASRs using an SVI on the fabric. OSPF comes up, the APIC exchanges routes with the ASRs, and I can ping back in forth. It's the ASA insertion where it all goes wrong.

My servers are in private IP address space, so I need to NAT on the way out to the Internet.

The IP addresses used to NAT each customer are different than the subnet on the outside of my Internet router. I would like to use something like a loopback to be able to NAT using a /30 per tenant/customer.

Each customer's ASA is a single ASA connected to two leaf nodes via a VPC.

Questions:

Should I configure the ASA in transparent mode or routed mode?

If transparent, has anyone successfully implemented NAT on the ASA in transparent mode? Would I implement the ASR as a Layer 3 Out and then insert the ASA with a service graph on the contract between the layer 3 out EPG and the server EPG?

If routed mode, do I use two layer 3 outs from the same VRF/private network? One for the ASA and one for the ASR?

If anyone has successfully implemented this use case can you share a high level summary of how you stitched it together?

Zach Seils · ‎08-24-2015

Hi Chris,

The scenario you're describing should be possible. The ASA supports NAT in both routed and transparent mode. One advantage of using routed mode is that you can NAT the internal hosts to the outside interface of the ASA firewall.

A high-level summary of the configuration would be:

Configure an External Routed Network (aka L3Out) between the ACI fabric and the ASR routers
Configure an External Routed Network (aka L3Out) between the ACI fabric and the external interface of the ASA firewall
Deploy the ASA in routed mode, with the internal hosts using the ASA as their default gateway

Note that the ASA device package does not currently support NAT. You can either forego device package integration for the ASA or use device package integration and manually manage the NAT configuration on the ASA outside of the APIC.

Regards,

Zach

Ahmed Boujelben · ‎09-20-2016

Hi Zach,

I have seen your comment within 1 year about the ACI Internet connectivity use case and we need your help and assistance if possible.

we have to host customers behind the ACI fabric. We have to provide the public cloud service to our customers.

Through the public cloud service, we like after creating an ACI tenant for such a customer, the customer will plug in its physical server into the fabric and will have Internet connectivity.

Thanks for finding in the attached Our intended design for the Internet use case.

We have deployed static routing between the managed ASA outside side and ACI fabric and OSPF dynamic routing between the ACI fabric and N7K external device (detailed in the snapshot internet_customer_service) In the ASA firewall side, we have configured a default route pointing to the L3Out IP address implemented in the ACI fabric.

The managed ASA service device will act as the default gateway of hosted servers and will perform the NAT function to translate the customer server private addresses to public addresses.

For Our Internet service use case, we need that customer hosted servers will be reachable and accessible from the Internet network. So, I think we should advertise the public IP address to the outside network i.e. the first L3out IP address between the ASA outside leg and ACI fabric ? How to redistribute the public address to the outside network into OSPF ? we need to configure a static route to firewall "outside" subnet under VRF Internet and then redistribute it under OSPF routing protocol ??

According to the design attached, do you confirm that we need only to configure two L3Out connections (towards ASA outside leg and towards N7K Core devices) and we don't need to deploy an outside bridge domain ? the two L3Out connections are associated only to the Internet VRF instance ?

Do you confirm for this scenario design that only the Internet VRF instance, the second L3out towards N7K Core devices will be implemented in the common tenant??

We have updated the tenant configuration steps. Can you please confirm us these steps?

Configure in Tenant Common

Configure VRF (Private Network) under Tenant common

Configure L3 outside connection (from the fabric to the N7K external device) under Tenant common and associate it with the VRF configured in step 1

Configure in YOUR Tenant

Configure the inside L2 Bridge domain

Configure L3 outside connection (from the fabric to the ASA outside leg) and associate it with the VRF configured in step 1

Under each tenant configure EPG and associate EPG with the BD

Configure contract and application profile under each tenant.

Regards,

Ahmed

Server -> ASA -> Internet with NAT