Configure the Cisco APIC Integration with ASA

The following topics discuss how to configure the Cisco APIC integration with ASA.

Give the Dynamic Attributes Connector access to ASA

This topic discusses how to give the dynamic attributes connector HTTPS access to ASA.

Before you can configure the integration, you must allow the dynamic attributes connector HTTPS access to the ASA using the http server enable , aaa authentication console, and route commands.

An example follows:

http server enable
http 0.0.0.0 0.0.0.0 management
aaa authentication http console LOCAL 
route management 10.1.0.0 255.255.255.0 192.0.2.100

For more information, see:

Get required information for the integration

This section discusses:

  • Information required to configure the integration

  • Information used in dynamic object names

Cisco ACI Endpoint Update App site prefix and update interval

This information applies to you only if you're currently using the Cisco ACI Endpoint Update App; otherwise, you can skip it.

To find the Cisco ACI Endpoint Update App site prefix and update interval:

  1. Log in to Cisco APIC as a user with admin privileges.

    For more information, see APIC Roles and Privileges Matrix.

  2. Click Apps.

  3. Under ACI Endpoint Update app, click Open.

  4. Click Edit (edit icon).

  5. Write down the values of Update Interval (In seconds) and Site Prefix.

Required to configure the integration: Find a user with appropriate access

To find a user with at least the read-all role with readPriv access and the tenant-admin role with writePriv access for the security domain:

  1. Log in to Cisco APIC.

  2. Click Admin.

  3. In the left pane, click Users.

  4. In the right pane, double-click the name of a user.

  5. Scroll to Security Domains.

  6. For the relevant security domain, make sure the user has at least the read-all role with readPriv access and the tenant-admin role with writePriv access for the security domain, as the following figure shows.

    Verify the Cisco APIC user defined for the connector has at least the read-all role with readPriv access and the tenant-admin role with writePriv access for retrieving objects from tenants for the relevant security domain

Cisco APIC tenant name

The Cisco APIC tenant name is used in the names of dynamic objects created by this integration. To find it:

  1. Log in to Cisco APIC.

  2. Click Tenants.

  3. Write down the name of the tenant that contains objects to send to .

Cisco APIC application profile name

The Cisco APIC application profile name is used in the names of dynamic objects created by this integration. To find it:

  1. Log in to Cisco APIC.

  2. Click Tenants.

  3. Double-click the name of your tenant.

  4. Expand your tenant.

  5. Expand Application Profiles.

  6. Write down the name of the application profile that contains EPGs and ESGs to integrate with ASA.

EPG name

The Cisco APIC EPG name is used in the names of dynamic objects created by this integration. To find it:

  1. Log in to Cisco APIC.

  2. Click Tenants.

  3. Double-click the name of your tenant.

  4. Expand your tenant.

  5. Expand Application Profiles.

  6. Expand the name of the application profile.

  7. Expand Application EPGs.

  8. Write down the name of the EPG or ESG that has network object groups to send to ASA.

    The following figure shows an example.

    Shows how to locate application EPGs and endpoint security groups in the Cisco APIC console

Example

The following figure shows the values in Cisco APIC.

Sample Cisco APIC management console that shows where to find the tenant name, application profile names, and EPG names

Create a connector

A connector is an interface with a cloud service. The connector retrieves network information from the cloud service so the network information can be used in policies on the Secure Firewall Management Center.

We support the following:

Table 1. List of supported connectors by dynamic attributes connector version and platform

CSDAC version

AWS

AWS security groups

AWS service tags

Azure

Azure Service Tags

Cisco APIC

Cisco Cyber Vision

Generic Text

GitHub

Google Cloud

Microsoft Office 365

vCenter

Webex

Zoom

Version 1.1 (on-premises)

Yes

No

No

Yes

Yes

No

No

No

No

No

Yes

Yes

No

No

Version 2.0 (on-premises)

Yes

No

No

Yes

Yes

No

No

No

No

Yes

Yes

Yes

No

No

Version 2.2 (on-premises)

Yes

No

No

Yes

Yes

No

No

No

Yes

Yes

Yes

Yes

No

No

Version 2.3 (on-premises)

Yes

No

No

Yes

Yes

No

No

No

Yes

Yes

Yes

Yes

Yes

Yes

Version 3.0 (on-premises)

Yes

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Version 3.1 (on-premises)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Create a Cisco APIC connector

This topic discusses creating a Cisco APIC connector that gets network object groups from a configured endpoint group (EPG) on Cisco APIC.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Connectors.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a name to uniquely identify this connector.

Description

Optional description.

Pull Interval

(Default 60 seconds.) Interval at which IP mappings are retrieved from Cisco APIC.

We recommend setting this to 15 seconds.

IP or Hostname

Enter the fully-qualified domain name or IP address of the Cisco APIC server from which to retrieve network object groups from EPGs and ESGs.

Do not enter a scheme (such as https://) and do not include a trailing slash.

Add another cluster IP

(Optional.) Enter the IP address of other servers in the Cisco APIC cluster.

Username

Enter the name of a Cisco APIC user with at least at least the read-all role with readPriv access and the tenant-admin role with writePriv access for the security domain.

Objects from all tenants the user has privileges to can be pushed to ASA.

You can filter the tenants using the Tenants field in the ASA adapter, which you'll configure later in this guide.

Password

Enter the user's password.

Server Certificate

(Recommended if using fully-qualified domain name.)

You have the following options:

  • Paste the certificate authority (CA) chain you got as discussed in .

  • Click Get Certificate > Fetch to automatically fetch the certificate or, if that is not possible, get the certificate manually as discussed in .

  • Click Get Certificate > Browse from file to upload a certificate chain you downloaded previously.

Step 5

Click Test and make sure the test succeeds before you save the connector.

Step 6

Click Save.

Step 7

Make sure Ok is displayed in the Status column.

What to do next

Create an ASA adapter

Create an ASA adapter

This topic discusses how to create an ASA adapter that creates network object groups on ASA. These network object groups can be used in access rules.


Note

The ASA adapter creates only Cisco APIC network object groups. You cannot create on ASA dynamic objects from other cloud sources, such as Microsoft Outlook 365.

Before you begin

Create a Cisco APIC connector as discussed in Create a Cisco APIC connector.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Adapters.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Note

 

Deleting an adapter by itself does not delete dynamic objects created by the adapter. If you wish to delete those objects permanently, do so on the device associated with the adapter.

Before deleting the adapter, you can set its Operative Status to Paused and Clear. Doing this stops sending network object groups to ASA and clears any previously sent objects from ASA.

Editing an adapter does not push updated objects to the associated device. If you must change the adapter's settings, delete the adapter and add it again.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a unique name to identify this adapter.

Description

Optional description of the adapter.

Operative Status

From the list, click one of the following:

  • Running is the normal running state where the integration sends network object groups to ASA.

    In the Running state, the adapter's status is displayed as Ok on the dynamic attributes connector Adapters page.

  • Paused pauses sending network object groups, such as during an upgrade. You can pause and resume sending network object groups at any time; this option preserves the objects already pushed to ASA.

    To resume sending network object groups, edit this adapter again and click Running.

    In the Paused state, the adapter's status is displayed as Disabled on the dynamic attributes connector Adapters page.

  • Paused and Clear stops sending network object groups to ASA and clears any previously sent objects from ASA. After you do this you can delete the adapter if you wish.

    In the Paused and Clear state, the adapter's status is displayed as Disabled on the dynamic attributes connector Adapters page.

APIC Site Prefix

(Required.) Enter a name to use as the prefix for the objects created on ASA. We strongly recommend you use a unique name.

This value must match all of the following:

This value is not case-sensitive.

Tenants

(Required.) Specify the names of one or more Cisco APIC tenants the readPriv user has access to. Objects from only the tenants you specify will be pushed to ASA.

To specify more than one tenant, separate them with a comma character.

IP

(Required.) ASA IP address.

Port

(Required.) ASA TLS/SSL port (default is 443).

User

(Required.) Enter the name of an ASA user with privilege level 15.

Password

(Required.) Enter the user's password.

Security Context

(Optional.) Enter the name of the ASA security context. For more information, see Enabling Multiple Context Mode in the Cisco Security Appliance Command Line Configuration Guide.

Server Certificate

(Optional.) You have the following options:

Edit or delete an ASA adapter

This task discusses the supported way to either edit or delete an ASA adapter. Failure to follow this procedure might mean dynamic objects do not get updated on the ASA device.

Before you begin

Create an ASA adapter as discussed in Create an ASA adapter.


Note

Deleting an adapter by itself does not delete dynamic objects created by the adapter. If you wish to delete those objects permanently, do so on the device associated with the adapter.

Before deleting the adapter, you can set its Operative Status to Paused and Clear. Doing this stops sending network object groups to ASA and clears any previously sent objects from ASA.

Editing an adapter does not push updated objects to the associated device. If you must change the adapter's settings, delete the adapter and add it again.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Adapters.

Step 3

To change an adapter's configuration:

  1. Click More (more icon), then click Delete.

  2. Follow the prompts to complete the action.

  3. Create another ASA adapter as discussed in Create an ASA adapter.

Step 4

To delete an adapter:

  1. Click More (more icon), then click Delete.

  2. Follow the prompts to complete the action.

    Note

     

    Deleting an adapter by itself does not delete dynamic objects created by the adapter. If you wish to delete those objects permanently, do so on the device associated with the adapter.

    Before deleting the adapter, you can set its Operative Status to Paused and Clear. Doing this stops sending network object groups to ASA and clears any previously sent objects from ASA.

    Editing an adapter does not push updated objects to the associated device. If you must change the adapter's settings, delete the adapter and add it again.

Manually get a certificate authority (CA) chain

In the event you cannot automatically fetch the certificate authority chain, use one of the following browser-specific procedures to get a certificate chain used to connect securely to vCenter, Firewall Management Center, Cisco APIC, or ASA.

The certificate chain is the root certificate and all subordinate certificates.

You can optionally use one of these procedures to connect to the following:

  • vCenter or NSX

  • Firewall Management Center

  • Cisco APIC

  • ASA

Get a Certificate Chain—Mac (Chrome and Firefox)

Use this procedure to get a certificate chain using the Chrome and Firefox browsers on Mac OS.

  1. Open a Terminal window.

  2. Enter the following command.

    security verify-cert -P url[:port]

    where url is the URL (including scheme) to vCenter Firewall Management Center, or Cisco APIC, or ASA. For example: 

    security verify-cert -P https://myvcenter.example.com

    If you access vCenter Firewall Management Center, or Cisco APIC, or ASA using NAT or PAT, you can add a port as follows: 

    security verify-cert -P https://myvcenter.example.com:12345

  3. Save the entire certificate chain to a plaintext file.

    • Include all -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- delimiters.

    • Exclude any extraneous text (for example, the name of the certificate and any text contained in angle brackets (< and >) as well as the angle brackets themselves.

  4. Repeat these tasks for vCenter, Firewall Management Center, Cisco APIC, or ASA.

Get a Certificate Chain—Windows Chrome

Use this procedure to get a certificate chain using the Chrome browser on Windows.

  1. Log in to vCenter, Firewall Management Center, Cisco APIC, or ASA using Chrome.

  2. In the browser address bar, click the lock to the left of the host name.

  3. Click Certificate.

  4. Click the Certification Path tab.

  5. Click the top (that is, first) certificate in the chain.

  6. Click View Certificate.

  7. Click the Details tab.

  8. Click Copy to File.

  9. Follow the prompts to create a CER-formatted certificate file that includes the entire certificate chain.

    When you're prompted to choose an export file format, click Base 64-Encoded X.509 (.CER) as the following figure shows.

    In the Certificate Export Wizard, select Base 64 encoded X.509 and export the certificate

  10. Follow the prompts to complete the export.

  11. Open the certificate in a text editor.

  12. Repeat the process for all certificates in the chain.

    You must paste each certificate in the text editor in order, first to last.

  13. Repeat these tasks for vCenter, Firewall Management Center, Cisco APIC, or ASA.

Get a Certificate Chain—Windows Firefox

Use the following procedure to get a certificate chain for the Firefox browser on either Windows or Mac OS.

  1. Log in to vCenter, Firewall Management Center, Cisco APIC, or ASA. using Firefox.

  2. Click the lock to the left of the host name.

  3. Click the right arrow (Show connection details). The following figure shows an example.

    In Firefox, show the connection details to see the certificate being used to connect to the FMC

  4. Click More Information.

  5. Click View Certificate.

  6. If the resulting dialog box has tab pages, click the tab page corresponding to the top-level CA.

  7. Scroll to the Miscellaneous section.

  8. Click PEM (chain) in the Download row. The following figure shows an example.

    Get the PEM chain to configure the FMC adapter

  9. Save the file.

  10. Repeat these tasks for vCenter, Firewall Management Center, Cisco APIC, or ASA.