Configuring direct failover links that do not use the ACI fabric
NAT net-to-net option
Redirecting ASA traffic to the ASA FirePOWER module using the sfr command
Note OSPFv3 requires ASA release 9.0(1) or above BGP (IPv4) requires ASA release 9.2(1) or above BGP (IPv6) requires ASA release 9.3(2) or above
The following figure shows the how to set up the APIC to access the ASA. For an ASA in multi-context mode, the management IP address of the cluster should be that of the admin context of the ASA, and the management IP address of Device 1 should be that of the target user context. (The admin context can be the target user context as well.)
Each context must be defined as its own APIC cluster. Multiple contexts within an ASA cannot be represented under a single cluster.
Model Changes Between 1.1(1) and 1.2(1)
We changed the ipv4_address and ipv6_address parameters to folders in the BridgeGroupIntf folder.
We changed the ipv4_address and ipv6_link_local_address parameters to folders in the InterfaceConfig folder.
We moved the PortChannelMember and LACPMaxBundle folders from device configuration to cluster configuration.
We removed all the parameters named rate_status under the BasicThreatDetection folder.
We removed the status parameter in the ScanningThreatRate folder.
We removed the statistics parameter in the AdvancedThreatDetection folder.
In a scenario where there are two identical graphs (identical interfaces) that have one BD with multiple EPGs, it is not possible to support NAT because NAT cannot differentiate between interfaces.
When you delete NAT on one of the graphs or delete one of the graph instances, the ASA Device Package cannot determine which one you want to delete, and it removes both.
The ASAv does not support multiple context mode.
Installing the Software
To install the ASA Device Package software, see the Cisco ASA Integration with the APIC Quick Start Guide for instructions, at:
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation as an RSS feed and delivers content directly to your desktop using a reader application. The RSS feeds are a free service.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.