Hi Guys,
I'm in a bit of a hurdle with a customer tenant, which i'm hoping you can bring some helping light on.
Design is pretty straight-forward. One Tenant, 2 VRF (Inside, DMZ), 3 x l3out for BGP peering with ISP, and hardware firewalls Inside and DMZ interfaces.
The customer then have some external consultants, which need VPN access. We created a ASAv - cheaper license and faster deployment, and connected the inside interface to and inside distributed EPG, and Outside interface to an Outside EPG.
Now all is good, from my VPN I can ping All inside servers, and ping outside. But when i access the VPN from outside, i can't. Soo, this also make sense. All Servers has ACI BridgeDomain as Gateway, and here we have an L3-out, sending traffic to hardware firewall.
To i tried changing GW for a client to th ASAv. Now I can connect when accessing anyconnect...
The ultimate fix would be to BGP peer with the ASAv, but because it's virtual I can't do any physical LINKNET peering from ACI to the firewall. I then searched for some Static routing options. If i could just tell the BridgeDomain or the L3-out/ LEAFs that "(VPN traffic-192.168.x.x)", should to a different next hop, all would be good, but im pretty lost right now.
I also check the service graph option out, but that seems to throw all end points in the EPG to the service you've configured.
So guys, please give me some new refreshing ideas on how I can fix this, it would be so appreciated !
BR
Morten
