I'm looking for guidance implementing Internet connectivity for a host within an EPG out to the Internet by way of an ASA. I am implementing a service provider model with a customer per tenant, an ASA firewall per tenant, and and a shared Internet edge router.
Customer host(s) are configured in an EPG inside the customer's tenant.
The Internet routers, dual ASRs, are connected to the fabric on one set of interfaces and out to the Internet via another set of interfaces. In other words only the inside interfaces of the Internet routers are connected to the fabric. I have successfully built a L3 Out to these ASRs using an SVI on the fabric. OSPF comes up, the APIC exchanges routes with the ASRs, and I can ping back in forth. It's the ASA insertion where it all goes wrong.
My servers are in private IP address space, so I need to NAT on the way out to the Internet.
The IP addresses used to NAT each customer are different than the subnet on the outside of my Internet router. I would like to use something like a loopback to be able to NAT using a /30 per tenant/customer.
Each customer's ASA is a single ASA connected to two leaf nodes via a VPC.
Questions:
Should I configure the ASA in transparent mode or routed mode?
If transparent, has anyone successfully implemented NAT on the ASA in transparent mode? Would I implement the ASR as a Layer 3 Out and then insert the ASA with a service graph on the contract between the layer 3 out EPG and the server EPG?
If routed mode, do I use two layer 3 outs from the same VRF/private network? One for the ASA and one for the ASR?
If anyone has successfully implemented this use case can you share a high level summary of how you stitched it together?
