Network Virtual Appliances in Azure : Cisco ASAv – Part-2

Azure Traffic Flow ASAv

“Coming together is the Beginning. Keeping together is Progress.  Working together is Success.”  -Henry Ford

 

This is Part-2 of the Network Virtual Appliances in Azure : Cisco ASAv.  In Part-1 we deployed a Citrix VPX load balancer in one-arm mode.

Network Virtual Appliances in Microsoft Azure – Cisco ASAv Deployment

1. Reference Architecture with Citrix VPX Load Balancer and Cisco ASAv Firewall in Microsoft Azure

Citrix VPX Load balancer and Cisco ASAv firewall in Azure - Reference Architecture
Reference Architecture

2. Network Appliance Vendor Ecosystem

Microsoft Azure supports a large ecosystem of third party network appliance vendors.

Azure Network Appliance Vendor Ecosystem

These vendor appliances are available in Azure Marketplace as VM Images that you could readily deploy. This facilitates migration to Azure, and organizations can continue to use the skills the team already has.

3. Current Limitations and Guidelines

ASAv and Azure Routing

Routing in an Azure Virtual Network is determined by the Virtual Network’s Effective Routing Table. The Effective Routing Table is a combination of an existing System Routing Table and the User-Defined Routing Table.

Note: Currently you cannot view either the Effective Routing Table or the System Routing Table. You can view and edit the User Defined Routing table. When the System table and the

User-Defined tables are combined to form the Effective Routing Table, the most specific route wins and ties go to the User-Defined Routing table.

 4. Cisco ASAv Deployment in Azure

Cisco ASAv in Azure gets deployed with 4-NICs. NIC-0 is the management NIC.  This Cisco ASAv on Azure guide describes the network appliance deployment in detail. Let’s have a plan first on how the interfaces are going to look like.

Cisco ASAv High Level Configuration Steps
Cisco ASAv High Level Configuration Steps
  • High-Level Configuration Steps
  1. Create a New Resource Group
  2. Verify Subnets (Mgmt,Outside,Web,DMZ) are already create in the vNets are shown in the diagram above
  3. Deploy ASAv From Market Place (Cisco ASAv – BYOL 4 NIC)
  4. Mgmt (NIC-0), Outside (NIC-1), Web(NIC-2), DMZ(NIC-3)
  5. Review All Static IPs
  6. SSH into the management interface from the Bastion Host to do basic ASAv configuration(See configuration snippets below). Remove Public IP from Management interface. Default route on ASAv out the outside interface. Will lose connectivity to ASAv
  7. Associate Outside NIC-1 interface with Public IP. Also create secondary Public IP for PAT which will be mapped to the VIP on the load balancer later.
  8. Review Four Route Tables (Automatically Created)
  9. Associate nn-east-web-subnet-2-ASAv-RouteTable” to nn-east-web-subnet-2. See screen capture below
  10. For Web-subnet -> Management subnet bypass ASAv with Virtual Network as the next hop. Review UDR section for a closer look at route tables
  11. Notice No Change is require on the Web VMs default route
  12. Create Outbound Dynamic NAT on the ASAv
  13. Create PAT for Citrix VPX VIP on the ASAv
  • Review All the ASAv NICs
ASAv - NIC-0 (Management NIC)
ASAv – NIC-0 (Management NIC)
ASAv-NIC-1 (Outside Interface)
ASAv-NIC-1 (Outside Interface)
ASAv-NIC-2 (Web Interface)
ASAv-NIC-2 (Web Interface)
ASAv-NIC1-outside-interface
ASAv-NIC1-Associate NIC with Public IP address. Add Secondary IP on the Outside Network and map it to a Public IP
Four Route Tables for each of the ASAv subnet
Four Route Tables for each of the ASAv subnet
By default the subnets are not associated with the RouteTable
By default the subnets are not associated with the RouteTable
For each of the Subnet ASAv is the next hop
For each of the Subnet ASAv is the next hop
  • ASAv Configuration for Inbound and Outbound NAT

  • Putting it all together – Traffic Flow with the User-Defined Routes in Place
    1. Orange Line: Outbound traffic from the Web VM via system routes
    2. Green Line: Outbound traffic from the Web VM via ASAv using UDRs
    3. Blue Line: Incoming traffic using PIP (Azure NAT) -> 10.5.99.7 (outside interface on ASAv) -> NAT 10.5.2.7 ASAv NAT (VIP on the LB)
Azure Traffic Flow ASAv
Azure Traffic Flow ASAv

 

 

Nehali Neogi

Nehali Neogi

Principal Network Engineer at Navisite
Nehali Neogi is a Principal Engineer at Navisite, leading many of their global initiatives on building the next generation of hybrid cloud services. She enjoys designing and architecting reliable and highly available solutions for Navisite’s clients. She is the resident expert on all things networking and beyond for VMware NSX, Cisco, and Azure based Hybrid Cloud offerings. Her interests are cloud technologies, Software Defined Networking, full stack engineering, and realizing the transition to DevOps and system Automation.Nehali holds an Expert Level Certification in VMware NSX(VCIX-NV) and Masters in Computer Engineering from UMass, Lowell.
Nehali Neogi