Cisco ACI L4-L7 integration PBR with Firewall (NAT in FW)

dineshkumark · ‎09-04-2022

We have an use case to integrate Checkpoint Firewall with Cisco ACI in Policy Based Redirect mode. With this deployment, Firewall will have NAT functionality (Private IP to Private IP NAT).

In this scenario, I would like to know if this is supported in Cisco ACI to integrate Firewall in PBR mode with NAT fuctionality. Any suggestion on this would be a grate help for me.

Thanks in advance.

balaji.bandi · ‎09-04-2022

Technically this is feasible, you only to PBR on ACI, the rest will be done by the checkpoint.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

dineshkumark · ‎09-04-2022

Hi Balaji,

Thanks for your response.

If my assumption is correct, to enable NAT functionality in Checkpoint, FW should be the gateway for the EPGs. Configuring the FW as a default gateway for the EPs requires disabling Unicast Routing capability on the bridge domain in ACI. ACI would act L2.

When it comes to L4-L7 integration of FW with Cisco ACI in PBR mode, we used to configure ACI Fabric as gateway for EPGs. The FWs are deployed on separate Bridge domain (Service BD) in One-Arm or Two-Arm mode.

If this is case, could you please clarify how this can be achieved from configuartion point of view. The requirement is that FW will do the NATing for EPs to another Private IP and the NATed subnet will be advertized from ACI to external device.

Thanks.