Cisco ASA Quick Start Guide for APIC Integration, 1.2(12)
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Book Contents
Book Contents
- Introduction
- Deploy and Install
- Configure
Find Matches in This Book
Log in to Save Content
Available Languages
Download Options
Book Title
Cisco ASA Quick Start Guide for APIC Integration, 1.2(12)
Introduction
- PDF - Complete Book (2.19 MB)PDF - This Chapter (1.02 MB) View with Adobe Reader on a variety of devices
Results
Updated: May 22, 2019
Chapter: Introduction
Chapter Contents
- Introduction
- Overview
- Service Function Insertion
- Available APIC Products
- Supported Versions
- Supported Features
- Related Documentation
Introduction
Overview
The Cisco Application Policy Infrastructure Controller (APIC) is a single point of control for centralized functions on the Cisco Application Centric Infrastructure (ACI). The APIC can automate the insertion of services such as a Cisco Adaptive Security Appliance (ASA) northbound between applications, also called endpoint groups (EPGs). The APIC uses northbound Application Programming Interfaces (APIs) for configuring the network and services. You use these APIs to create, delete, and modify a configuration using managed objects.
To configure and monitor service devices, the APIC requires software running on the device known as a device package. The device package manages a class of service device and provides the APIC with information about the device so that the APIC knows what the device can do. By using a device package, you can insert and configure network service functions on a service device such as an ASA.
This document describes how to integrate an ASA with the ACI and configure the APIC to utilize capabilities of the ASA.
If you try to create a configuration that is not supported on your current ASA version, an error similar to the following could appear on the APIC:
*Major script error: Configuration error: …. ERROR: % Invalid input detected at '^' marker.
See your ASA version documentation for supported features.
Service Function Insertion
When a service function is inserted in the service graph between applications, traffic from these applications is classified by the APIC and identified using a tag in the overlay network. Service functions use the tag to apply policies to the traffic. For the ASA integration with the APIC, the service function forwards traffic using either routed or transparent firewall operation.
Available APIC Products
Starting with release 1.2(7.8), there are two versions of the Cisco ASA Device Package software for ACI:
- Cisco ASA Device Package—Policy Orchestration with Fabric Insertion. This version allows you to configure many important features of the ASA from the APIC, including (but not limited to) the following:
- Interface
- Routing
- Access-list
- NAT
- TrustSec
- Application inspection
- NetFlow
- High availability
- Site-to-site VPN
- Interface
- Dynamic routing
- Static routing
Supported Versions
Cisco ASA Device Package software supports only the version of APIC that it is shipped with.
Cisco ASA Device Package 1.3(x) with cloud orchestrator mode is a superset of Cisco ASA Device Package 1.2(x). Customers who want to use cloud orchestrator mode should use Cisco ASA Device Package 1.3(x) and APIC 3.1(x) or newer. Customers who do not want to use cloud orchestrator mode should use Cisco ASA Device Package 1.2(x) and APIC 3.0(x) or older.
When using ASA 9.12(x) and newer, use Cisco ASA Device Package 1.3(12.x) (with cloud orchestrator mode) or 1.2(12.x) (no cloud orchestrator mode) and newer. Otherwise, it will fail because of CSCvo59053.
The following table lists the supported versions of Cisco ASA software for each of the supported platforms:
Cisco ASA 5500-X (5512 through 5555)
ASA 8.4(x) and newer
Cisco ASA 5585-X (SSP 10 through SSP 60)
Cisco Firepower 9300 Security Appliance
ASA 9.6(1) and newer
Cisco Firepower 41xx Security Appliance
Cisco Firepower 21xx Security Appliance
ASA 9.8(1) and newer
ASA 9.2(x) and newer
Supported Features
The following table lists the supported features for the ASAv and the ASA 5585-X. For releases that support BGP and OSPF, see the Cisco ASA Device Package Software, Version 1.2(1) Release Notes.
ASA 5500-X/5585-X Support
Access lists and access groups
