Hi Robert,

Thanks for the useful links. Please see below diagram and looking for some help.

Would like to connect ASA for north south traffic and to host DMZ there.

so would like to know how firewall should be physically connected to leaf switches ?

Traffic flow -

ACI  ——> Firewall ——> router —— internet

for DMZ ——

internet ——> router —-> firewall (dmz) —-> ACI

You can connect ASA to ACI in several scenarios: 

You can connect via vPC, Port Channel, or one port. 
In the vPC scenario, at least 2 different ports on  ASA are connected to ports on 2 different leaf switches.
In the PC scenario, Some port channeled ports on ASA connected to one leaf switch ports.
and finally, in one port connection, I think everything is clear. 

After physical connectivity, you need to configure l3Out and choose your routing protocol using APIC GUI or CLI.

if you need any additional information, do not hesitate.

Regards

Thanks for the reply, please see below and help.

Hi @Pankaj_Agrawal 

1 - The interfaces should be in port-channel, also in ACI you should configure SVI if you want to establish vPC

2- You need Transit Routing 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/aci-fundamentals/Cisco-ACI-Fundamentals-42x/Cisco-ACI-Fundamentals-41X_chapter_0111.html


Regards,
Ali