cloud networking, multi-cloud networking

Cisco ASAv and Aviatrix Firenet Integration

In this blog I’m revisiting an old friend, ok… colleague, checking how ASAv and FTDv customers can leverage them with Aviatrix. From Cisco website “Secure Firewall ASA Virtual is a firewall with powerful VPN capabilities. It supports site-to-site VPN, remote-access VPN, and clientless VPN functionalities.”

More info at: https://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-virtual-appliance-asav/adapt-security-virtual-appliance-ds.html

ASAv has 4 interfaces:

  • Management: management interface can also be used for data with the configuration option no management-only
  • GigabitEthernet 0/0
  • GigabitEthernet 0/1
  • GigabitEthernet 0/2

One of possible design for ASAv is show on the diagram below where the management interface is dedicated.

The FireNet design below is for the case where the management interface is shared:

Assumptions

  • Controller and CoPilot is deployed
  • FireNet is deployed

Constraints

  • Aviatrix cannot instantiate ASAvs as it does for other vendors like PAN, CheckPoint, FortiNet
  • FireNet vendor integration is not supported
  • ASAv Azure Marketplace ARM template requires an “empty” resource group

ASAv Deployment

We can deploy ASAv directly from Azure Marketplace:

  • Public IP address: because the ASAv will lay behind a LB, we need to create a standard public ip
  • ASAv requires at least 4 subnets but for the FireNet integration we need 3 mapped properly as below:

Once the deployment is done, we have a few manual steps to do. Because ASAv ARM template requires a new resource-group and Aviatrix expects to find its managed firewall under its own resource group, we need to move resources around:

Maybe a Cisco ASAv and Azure ARM guru reading this post can help me with a way to deploy ASAv using an existing non empty resource group

Once the ASAv resources are moved to the transit resource group, we can go to the Controller and associate the firewall to the FireNet:

Once the association is complete we can check if the VM was properly added to the back end pool of the FireNet managed Azure Load Balancer:

Do not forget to add a NSG to the ASAv VM interface:

ASAv Configuration

interface GigabitEthernet0/0
nameif external
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif internal
security-level 100
ip address dhcp setroute
!
same-security-traffic permit intra-interface
!
access-group east-west in interface internal
access-list east-west extended permit ip any any log
!
route internal 168.63.129.16 255.255.255.255 10.255.160.145 1
route internal 10.0.0.0 255.0.0.0 10.255.160.145 1
route internal 172.16.0.0 255.240.0.0 10.255.160.145 1
route internal 192.168.0.0 255.255.0.0 10.255.160.145 1
!
ssh 168.63.129.0 255.255.255.0 internal

Testing

From a VM running on spoke30 I started a ping to a VM running on spoke40:

Running a capture on the ASAv I can see the traffic is hitting the firewall for inspection:

From FlowIQ:

References

https://www.cisco.com/c/en/us/td/docs/security/asa/asa915/asav/getting-started/asav-915-gsg/m_asav-intro.html

Leave a Reply