This is Part-2 of the Network Virtual Appliances in Azure : Cisco ASAv. In Part-1 we deployed a Citrix VPX load balancer in one-arm mode.
Network Virtual Appliances in Microsoft Azure – Cisco ASAv Deployment
1. Reference Architecture with Citrix VPX Load Balancer and Cisco ASAv Firewall in Microsoft Azure
2. Network Appliance Vendor Ecosystem
Microsoft Azure supports a large ecosystem of third party network appliance vendors.
These vendor appliances are available in Azure Marketplace as VM Images that you could readily deploy. This facilitates migration to Azure, and organizations can continue to use the skills the team already has.
3. Current Limitations and Guidelines
Routing in an Azure Virtual Network is determined by the Virtual Network’s Effective Routing Table. The Effective Routing Table is a combination of an existing System Routing Table and the User-Defined Routing Table.
Note: Currently you cannot view either the Effective Routing Table or the System Routing Table. You can view and edit the User Defined Routing table. When the System table and the
User-Defined tables are combined to form the Effective Routing Table, the most specific route wins and ties go to the User-Defined Routing table.
4. Cisco ASAv Deployment in Azure
Cisco ASAv in Azure gets deployed with 4-NICs. NIC-0 is the management NIC. This Cisco ASAv on Azure guide describes the network appliance deployment in detail. Let’s have a plan first on how the interfaces are going to look like.
- High-Level Configuration Steps
- Create a New Resource Group
- Verify Subnets (Mgmt,Outside,Web,DMZ) are already create in the vNets are shown in the diagram above
- Deploy ASAv From Market Place (Cisco ASAv – BYOL 4 NIC)
- Mgmt (NIC-0), Outside (NIC-1), Web(NIC-2), DMZ(NIC-3)
- Review All Static IPs
- SSH into the management interface from the Bastion Host to do basic ASAv configuration(See configuration snippets below). Remove Public IP from Management interface. Default route on ASAv out the outside interface. Will lose connectivity to ASAv
- Associate Outside NIC-1 interface with Public IP. Also create secondary Public IP for PAT which will be mapped to the VIP on the load balancer later.
- Review Four Route Tables (Automatically Created)
- Associate nn-east-web-subnet-2-ASAv-RouteTable” to nn-east-web-subnet-2. See screen capture below
- For Web-subnet -> Management subnet bypass ASAv with Virtual Network as the next hop. Review UDR section for a closer look at route tables
- Notice No Change is require on the Web VMs default route
- Create Outbound Dynamic NAT on the ASAv
- Create PAT for Citrix VPX VIP on the ASAv
- Review All the ASAv NICs
- ASAv Configuration for Inbound and Outbound NAT
Cisco ASAv Basic Configuration
ip address 10.5.99.4 255.255.255.0
ip address 10.5.2.8 255.255.255.0
ip address dhcp setroute
ip address 10.5.1.5 255.255.255.0
nn-asav# sh interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.5.99.4 YES manual up up
GigabitEthernet0/1 10.5.2.8 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down up
Management0/0 10.5.1.5 YES manual up up
Routing and ACLs (Demo Purpose ONLY!!, Do not use this ACL in production!)
access-list allow-all extended permit ip any4 any4
route outside 0.0.0.0 0.0.0.0 10.5.99.1
access-group allow-all in interface outside
access-group allow-all in interface web
Cisco NAT Configuration
object network web-subnet
subnet 10.5.2.0 255.255.255.0
nat (web,outside) dynamic interface
object network rgb-VIP-outside
object network rgb-VIP-web
nat (web,outside) static rgb-VIP-outside
- Putting it all together – Traffic Flow with the User-Defined Routes in Place
- Orange Line: Outbound traffic from the Web VM via system routes
- Green Line: Outbound traffic from the Web VM via ASAv using UDRs
- Blue Line: Incoming traffic using PIP (Azure NAT) -> 10.5.99.7 (outside interface on ASAv) -> NAT 10.5.2.7 ASAv NAT (VIP on the LB)