Network Virtual Appliances in Azure : Cisco ASAv – Part-2
This is Part-2 of the Network Virtual Appliances in Azure : Cisco ASAv. In Part-1 we deployed a Citrix VPX load balancer in one-arm mode.
Network Virtual Appliances in Microsoft Azure – Cisco ASAv Deployment
1. Reference Architecture with Citrix VPX Load Balancer and Cisco ASAv Firewall in Microsoft Azure
2. Network Appliance Vendor Ecosystem
Microsoft Azure supports a large ecosystem of third party network appliance vendors.
These vendor appliances are available in Azure Marketplace as VM Images that you could readily deploy. This facilitates migration to Azure, and organizations can continue to use the skills the team already has.
3. Current Limitations and Guidelines
ASAv and Azure Routing
Routing in an Azure Virtual Network is determined by the Virtual Network’s Effective Routing Table. The Effective Routing Table is a combination of an existing System Routing Table and the User-Defined Routing Table.
Note: Currently you cannot view either the Effective Routing Table or the System Routing Table. You can view and edit the User Defined Routing table. When the System table and the
User-Defined tables are combined to form the Effective Routing Table, the most specific route wins and ties go to the User-Defined Routing table.
4. Cisco ASAv Deployment in Azure
Cisco ASAv in Azure gets deployed with 4-NICs. NIC-0 is the management NIC. This Cisco ASAv on Azure guide describes the network appliance deployment in detail. Let’s have a plan first on how the interfaces are going to look like.
- High-Level Configuration Steps
- Create a New Resource Group
- Verify Subnets (Mgmt,Outside,Web,DMZ) are already create in the vNets are shown in the diagram above
- Deploy ASAv From Market Place (Cisco ASAv – BYOL 4 NIC)
- Mgmt (NIC-0), Outside (NIC-1), Web(NIC-2), DMZ(NIC-3)
- Review All Static IPs
- SSH into the management interface from the Bastion Host to do basic ASAv configuration(See configuration snippets below). Remove Public IP from Management interface. Default route on ASAv out the outside interface. Will lose connectivity to ASAv
- Associate Outside NIC-1 interface with Public IP. Also create secondary Public IP for PAT which will be mapped to the VIP on the load balancer later.
- Review Four Route Tables (Automatically Created)
- Associate nn-east-web-subnet-2-ASAv-RouteTable” to nn-east-web-subnet-2. See screen capture below
- For Web-subnet -> Management subnet bypass ASAv with Virtual Network as the next hop. Review UDR section for a closer look at route tables
- Notice No Change is require on the Web VMs default route
- Create Outbound Dynamic NAT on the ASAv
- Create PAT for Citrix VPX VIP on the ASAv
- Review All the ASAv NICs
- ASAv Configuration for Inbound and Outbound NAT
Cisco ASAv Basic Configuration hostname nn-asav ! interface GigabitEthernet0/0 nameif outside ip address 10.5.99.4 255.255.255.0 no shut ! interface GigabitEthernet0/1 nameif web security-level 100 ip address 10.5.2.8 255.255.255.0 no shut ! interface Management0/0 nameif management security-level 0 ip address dhcp setroute ! interface Management0/0 ip address 10.5.1.5 255.255.255.0 nn-asav# sh interface ip brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.5.99.4 YES manual up up GigabitEthernet0/1 10.5.2.8 YES manual up up GigabitEthernet0/2 unassigned YES unset administratively down up Management0/0 10.5.1.5 YES manual up up Routing and ACLs (Demo Purpose ONLY!!, Do not use this ACL in production!) access-list allow-all extended permit ip any4 any4 route outside 0.0.0.0 0.0.0.0 10.5.99.1 access-group allow-all in interface outside access-group allow-all in interface web Cisco NAT Configuration Dynamic NAT: object network web-subnet subnet 10.5.2.0 255.255.255.0 nat (web,outside) dynamic interface STATIC NAT: object network rgb-VIP-outside host 10.5.99.7 object network rgb-VIP-web host 10.5.2.7 nat (web,outside) static rgb-VIP-outside
- Putting it all together – Traffic Flow with the User-Defined Routes in Place
- Orange Line: Outbound traffic from the Web VM via system routes
- Green Line: Outbound traffic from the Web VM via ASAv using UDRs
- Blue Line: Incoming traffic using PIP (Azure NAT) -> 10.5.99.7 (outside interface on ASAv) -> NAT 10.5.2.7 ASAv NAT (VIP on the LB)
Megan is the Content Marketing Manager at Navisite with more than 10 years of experience helping brands discover and tell their stories. From working at a global non-profit organization to boutique marketing agencies in Chicago, she champions the power of storytelling across all industries.