Use this enhancement feature for caveat CSCvb90258:
Symptom: The ASA Fabic Insertion (FI) Device Package (DP) does not support saving configuration out-of-band.
Conditions: The ASA-FI-DP only supports routing and interface configuration. It does not support the configuration of security policy binding commands, such as access-group and nat, to the service graph. To assign a security policy to a service graph, you must manually configure the setup. In the case of rerendering a service graph after removing it, you must manually reconfigure the bindings.
Solution: This enhancement feature enables you to save the security policy binding commands to a file, which the ASA-FI-DP can apply after the service graph is reattached.
XML: A folder named SecurityPolicyAssignment has been added under vnsMFunc which enables you to enter a name for the configuration that has the security policy to assign to the service graph.
<vnsMFolder key="ExIntfConfigRelFolder" dispLabel="External Interface Configuration"
description="A list of additional interface parameters for external connector"...>
<vnsMFolder key="InIntfConfigRelFolder" dispLabel="Internal Interface Configuration"
description="A list of additional interface parameters for internal connector" ...>
<vnsMConn name="external" ...>
<vnsMConn name="internal" ...>
dispLabel="Security Policy Assignment"
description="Assign the security policy in the named file to the service-graph">
description="Specify the name of the file that contains the out of band configuration specific to the service-graph"/>
If the file is on the ASA, enter the name of the file.
If the file is on a TFTP server, enter: tftp://<ip-address>/<filename>
If the file is on an FTP server, enter: ftp://<ip-address>/<filename>
The contents of the file should be commands that you must enter out-of-band that reference the interfaces used in the service graph. For example:
access-group <acl-name> [in|out] interface <nameif>
nat (<nameif>, <nameif>) …
service-policy <policy-name> interface <nameif>
crypto map <map-name> interface <nameif>
crypto ike2 enable <nameif>
Here's an example of such a file for a service graph with interfaces externalInt and internalInt:
access-group access-group external_access_acl in interface externalInt
nat (internalInt,externalInt) source static real_obj mapped_obj
nat (internalInt,externalInt) source dynamic any mapped_obj interface
Commands that do not reference an interface should not be part of the file because they're not removed when you remove the service graph. Examples of such commands include: