Before You Begin
This chapter includes the following sections:
•Overview of the Solution Components
•Deployment Architecture for the ASA 1000V
•Predeployment Task Flow
•Guidelines and Limitations
•Obtaining Documentation and Submitting a Service Request
Overview of the Solution Components
The Cisco ASA 1000V Cloud Firewall is a virtual appliance that was developed using the ASA infrastructure to secure the tenant edge in multitenant environments with Nexus 1000V deployments. It provides edge features and functionality (including site-to-site VPN, NAT, and DHCP), acts as a default gateway, and secures the virtual machines (VMs) within the tenant against any network-based attacks.
The Cisco ASA 1000V is deployed with the following components:
•Compatible hardware that runs the VMware vSphere Hypervisor software.
•vCenter VSphere Hypervisor software—The required software for installing the Cisco Nexus 1000V and the Cisco VNMC appliance in a virtual data center.
•vCenter Server software—The required VM management software that is supported on the Cisco Nexus 1000V.
•Cisco Nexus 1000V—The required virtual switch for running VMs such as the ASA 1000V in a virtual data center.
•Cisco Virtual Network Management Center (VNMC) appliance—The required virtual appliance manages virtual security appliances within the virtualized environment. The Cisco VNMC acts as a single point manager for both the Cisco ASA 1000V and Cisco VSG.
•Cisco ASA 1000V—The virtual service node runs as a VM to secure the tenant edge in the virtualized environment.
•(Optional) Cisco Virtual Security Gateway (VSG)—A service appliance required to segment VMs from each other. The Cisco VSG is required to segment inter-VM traffic within a tenant.
Deployment Architecture for the ASA 1000V
This section includes the following topics:
•Sharing Policies Using the Cisco VNMC
•Policy Objects for the ASA 1000V
•How Policies Are Applied to the ASA 1000V
•Configuration Model for the ASA 1000V
The ASA 1000V enables a broad set of multitenant workloads that have varied security profiles to share a common infrastructure in a virtual data center. By associating one or more VMs in a network to distinct security profiles, the ASA 1000V ensures that access from and to these VMs is controlled and monitored through established security policies.
Integrated with the Cisco Nexus 1000V series switch and VNMC, the ASA 1000V allows administrative segregation across security and server teams that provides collaboration, eliminates administrative errors, and simplifies audits. The networking team defines port profiles in the Nexus 1000V VSM that are templates for switch port configuration. These port profiles automatically appear as port groups to the server team that applies networking configuration for the VMs in VMware vCenter. The security team defines policies called edge security profiles in Cisco VNMC or ASDM that are downloaded to the ASA 1000V. The security team also collaborates with the networking team by providing the edge security profile names that it has created. The networking team assigns a security profile to a port profile in VSM. The server team selects these port profiles from the VM configuration in VMware vCenter.
After the three-way setup is complete for securing a VM, the ASA 1000V applies the security policies defined by the security profile for traffic originated by the VM or destined to the VM. If the setup is not complete, traffic from and to the VMs hits the ASA 1000V (because it is the default gateway), but the traffic is dropped. Therefore, any VM behind the ASA 1000V must have a security profile associated with it.
Note Only VMs behind the ASA 1000V on the inside interface need to have security profiles applied. The ASA 1000V does not support applying security profiles to VMs on the outside network.
Figure 1-1 shows how a port profile is used by the ASA 1000V.
Figure 1-1 Port Profile Usage by ASA 1000V
As shown in Figure 1-1, VMs protected by the ASA 1000V are grouped into port profiles. Port profiles can have different security policies in the ASA 1000V. Security policies are created in Cisco VNMC using edge security profiles. These security profiles are bound to the port profiles in VSM. When the VMs are created, the port group corresponding to the port profiles applicable to the VMs are selected in VMware vCenter.
The configuration shown in Figure 1-1 includes a VM on the outside interface of the ASA 1000V. This VM does not require a security profile applied to it in order to send and receive traffic through the ASA 1000V. The VM requires the port profile and port group.
The ASA 1000V is also the default gateway for the VMs on the inside interface. The ASA 1000V assigns IP addresses to these VMs through DHCP. If IP addresses are assigned statically for the VMs, they must send packets using the static IP address before the ASA 1000V can allow the traffic from the outside VM to reach VMs on the inside interface.
Sharing Policies Using the Cisco VNMC
This section includes the following topics:
•Tenant Management and Multitenancy
•Resource Objects for the ASA 1000V
Cisco VNMC is a model-driven, multitenant, multi-device manager that allows sharing of policies between many ASA 1000Vs. Cisco VNMC organizes objects into five distinct folder or organization levels for tenant management.
Named policy objects can be defined at a higher level folder and referenced by policies and objects created in lower levels. Name resolution uses a tree model in which names are resolved starting at the level in which the name is referenced, moving up the hierarchy towards the root.
Tenant Management and Multitenancy
Cisco VNMC provides the ability to achieve multitenancy. Multitenancy enables the division of large physical infrastructures into logical entities called organizations. As a result, you can achieve logical isolation between organizations without providing a dedicated physical infrastructure for each organization.
The administrator can assign unique resources to each tenant through the related organization in the multitenant environment. These resources can include different policies, pools, device profiles, firewalls, and so on. The administrator can use locales to assign or restrict user privileges and roles by organization if access to certain organizations needs to be restricted.
Cisco VNMC provides a strict organizational hierarchy, as shown in Figure 1-2:
3. Virtual Data Center
4. Virtual Application
Figure 1-2 Organizational Hierarchy
The root can have multiple tenants. Each tenant can have multiple data centers. Each data center can have multiple applications, and each application can have multiple tiers.
The policies and pools created at the root level are system wide and are available to all organizations in the system. However, any policies and pools created in an organization are only available to organizations that are below it in the same hierarchy.
For example, if a system has tenants named Company A and Company B, Company A cannot use any policies created in the Company B organization. Company B cannot access any policies created in the Company A organization. However, both Company A and Company B can use policies and pools in the root organization.
Resource Objects for the ASA 1000V
Cisco VNMC abstracts the devices it manages. It requires the devices to be provisioned out-of-band. As part of provisioning, devices are configured to point to Cisco VNMC for policy management. Cisco VNMC discovers all devices and lists them under the Resources pane. In addition to the ASA 1000V, the Resources pane includes other resources such as Cisco VSGs, VSMs, and VMs.
In Cisco VNMC, a logical edge firewall object must be created in the Managed Resources pane. The Edge Firewall object type refers to the ASA 1000V and represents a logical instance of the ASA 1000V. This object defines the inside and outside interfaces and allows device profiles and edge device profiles to be applied to the ASA 1000V. In addition, edge security profiles for the outside interfaces are applied here.
The logical edge firewall object is created at a specific organization level of the five-level hierarchy.
Policy Objects for the ASA 1000V
There are three types of top-level policy objects for the ASA 1000V. These objects can contain other policies and objects.
•Device Profiles—Includes policies that are global to the entire virtual appliance, regardless of the type of appliance. Multiple ASA 1000V instances can use the same device profile. The same device profile can be shared between Cisco VSG and the ASA 1000V. This profile type contains policies such as NTP and system log messages. Device profiles are created under the Device Configurations pane.
•Edge Device Profiles—(Global to the ASA 1000V only). Multiple ASA1000V instances can use the same edge device profile. This profile type contains policies that are unique to the ASA 1000V only; for example, the DHCP server, routing policies that are not applicable to Cisco VSG, or other devices. This profile is created in the Service Profiles pane.
Note The Service Profiles pane contains other profile types that are not applicable to the ASA 1000V. For example, Service Profiles only apply to Cisco VSG.
•Edge Security Profiles—Includes policies that can be applied to port profiles or VMs. Most of the firewall policies are defined in this type including ACLs, NAT, and so on. Edge security profiles can also be applied to outside interfaces of the ASA 1000V. In this case, the policies are applied to traffic from sources that do not have a security profile attached. Typically, edge security profiles are used on the outside interface of the ASA 1000V to define permit ACLs. An edge security profile is created in the Service Profiles pane.
How Policies Are Applied to the ASA 1000V
Edge firewall objects need to be associated to an ASA 1000V instance. After association, all applicable profile types for the ASA 1000V device type are pushed to the ASA 1000V instance. All edge profile objects that are created at the same organization level as the edge firewall object are pushed to the device.
Note Device profiles and edge device profiles were already identified through the edge firewall object.
For example, if the edge firewall object is created at root/Cisco/Engineering-DC, all edge security profiles and policies in root/Cisco/Engineering-DC are pushed to the ASA 1000V instance. In addition, all edge security profiles and policies created under any organization level under root/Cisco/Engineering-DC are also pushed.
Policies can be organized at various levels for efficient management and sharing. Associating an edge firewall at a data center level allows a single edge firewall to protect VMs that belong to different types of applications and tiers.
Configuration Model for the ASA 1000V
The ASA 1000V includes a service interface. The ASA 1000V can receive traffic, such as DHCP queries and SSH traffic, from the VMs on the service interface when those VMs are configured with edge security profiles.
Note When configuring the service interface for the ASA 1000V, you use the ASA 1000V inside interface and assign it an IP address and security level. For information on configuring an interface, see the Cisco ASA 1000V CLI Configuration Guide.
Each edge security profile configured for the VMs on the service interface has a security profile interface (named "interface security-profile"). Security profile interfaces are dynamic (they do not have an IP address) and identify the service interface.
When configuring the ASA 1000V, attach policies such as access lists and application inspection to the security profile interface and not to the service interface. On the service interface, you configure only policies that terminate traffic, such as policies for the DHCP server and SSH traffic.
When a VM sends traffic from the inside interface to the outside interface, the ASA 1000V applies policies assigned to the security profile interface for that VM and applies policies assigned to the outside interface. When the ASA 1000V receives outside traffic for a VM, the ASA 1000V applies policies configured on the VMs security profile interface.
The outside, management, and failover interfaces on the ASA 1000V function the same way that they do for other ASA releases.
Predeployment Task Flow
Before deploying the ASA 1000V, you must perform the following tasks in this order:
1. Install an x86 Intel server with 64-bit processor, listed in the VMware Hardware Compatibility List that runs VMware vSphere Hypervisor software 4.1 or 5.0 with a minimum of two processors of at least 1.5 GHz each, 8 GB of physical RAM, 30 GB of disk space, with an Enterprise Plus license.
2. Install VMware vCenter 4.1 or 5.0 to manage the VMware vSphere Hypervisor server, with an Enterprise Plus license.
See the VMware documentation:
3. Install the VMware vSphere Client and connect it to the appropriate VMware vCenter for your Cisco Nexus 1000V deployment.
See the VMware documentation:
4. Install the Cisco Nexus 1000V switch, Release 4.2(1)SV1(5.2), Virtual Supervisor Module (VSM) and Virtual Ethernet Module (VEM).
The following link provides an overview of Nexus 1000V architecture:
Nexus 1000V Architecture
Use the Nexus 1000V Installation Management Center to install Nexus 1000V on your server(s). The following links describe the steps:
Nexus 1000V Installation and Upgrade Guide
Nexus 1000V Installation and Upgrade Video
5. Create the necessary port profiles for your VMs, VNMC, ASA 1000V, and VSG by following the steps listed in the Cisco Nexus 1000V Port Profile Configuration Guide:
Cisco Nexus 1000V Port Profile Configuration Guide
The ASA 1000V requires the following four port profiles because it has four interfaces:
–A port profile for the inside interface of ASA 1000V that belongs to the inside VLAN
–A port profile for the outside interface of ASA 1000V that belongs to the outside VLAN
–A port profile for management interface
–A port profile for the failover interface if failover is used
Each port profile must be on a different Layer 2 network.
6. Install the Cisco Virtual Network Management Center (VNMC) 2.0:
Cisco VNMC Quick Start Guide
7. Register the VSM with the Cisco VNMC by downloading the Nexus 1000V Policy Agent image from the Cisco software download site and completing the steps in the "Registering a Cisco Nexus 1000V VSM "section of the following guide:
Cisco VNMC Quick Start Guide
Guidelines and Limitations
Deploying the components required to support the ASA 1000V (VNMC,VSM,VSG) does not support localization (installing the components in non-English mode). Consequently, the VMware vCenter and the LDAP servers in your environment must be installed in an ASCII-compatible mode.
You must set your keyboard to United States English before installing the ASA 1000V and using the VM console.
The VMs that are on the inside of the ASA 1000V need to be directly connected to a Nexus 1000V switch and in the same VLAN as the one you have configured on the inside of the ASA 1000V. Inside VMs must be layer 2 adjacent to the inside of the ASA 1000V. You cannot have a layer 3 hop, as with a physical router, on the inside of the ASA 1000V.
For more information about the individual components that comprise the ASA 1000V, see the following documentation:
•Cisco Nexus 1000V
Cisco Nexus 1000V Documentation
•Cisco Virtual Network Management Center (VNMC)
Cisco VNMC Documentation
ASA 1000V Documentation
•(Optional) Cisco Virtual Security Gateway (VSG), Version 1.4
For information about troubleshooting your ASA 1000V deployment, see the Cisco ASA 1000V Troubleshooting Guide at ASA 1000V Documentation.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
For information about the ASA 1000V features, see the following ASA 1000V documentation at:
ASA 1000V Documentation