The Cisco Application Policy Infrastructure Controller (APIC) is a single point of control for centralized functions on the Cisco Application Centric Infrastructure (ACI). The APIC can automate the insertion of services such as a Cisco Adaptive Security Appliance (ASA) northbound between applications, also called endpoint groups (EPGs). The APIC uses northbound Application Programming Interfaces (APIs) for configuring the network and services. You use these APIs to create, delete, and modify a configuration using managed objects.

To configure and monitor service devices, the APIC requires software running on the device known as a device package. The device package manages a class of service device and provides the APIC with information about the device so that the APIC knows what the device can do. By using a device package, you can insert and configure network service functions on a service device such as an ASA.

This document describes how to integrate an ASA with the ACI and configure the APIC to utilize capabilities of the ASA.

Note	If you try to create a configuration that is not supported on your current ASA version, an error similar to the following could appear on the APIC: *Major script error: Configuration error: …. ERROR: % Invalid input detected at '^' marker. See your ASA version documentation for supported features.

When a service function is inserted in the service graph between applications, traffic from these applications is classified by the APIC and identified using a tag in the overlay network. Service functions use the tag to apply policies to the traffic. For the ASA integration with the APIC, the service function forwards traffic using either routed or transparent firewall operation.

Starting with release 1.2(7.8), there are two versions of the Cisco ASA Device Package software for ACI:

• Cisco ASA Device Package software for ACI. This version allows you to configure many important features of the ASA from the APIC, including (but not limited to) the following:

  • Interface

  • Routing

  • Access-list

  • NAT

  • TrustSec

  • Application inspection

  • NetFlow

  • High availability

  • Site-to-site VPN

• Cisco ASA Device Package Fabric Insertion software for ACI. This version contains the following subset of features of the original version:

  • Interface

  • Dynamic routing

  • Static routing

Cisco ASA Device Package software supports only the version of APIC that it is shipped with.

Cisco ASA Device Package software version 1.3(x) supports only APIC versions 3.1(x) and newer. Consequently, 1.3(x) supports the cloud orchestrator mode in 3.1(x), whereas older versions do not.

The following table lists the supported versions of Cisco ASA software for each of the supported platforms:

The following table lists the supported features for the ASAv and the ASA 5585-X. For releases that support BGP and OSPF, see the Cisco ASA Device Package Software, Version 1.2(1) Release Notes.

• Cisco ACI Fundamentals

• Cisco ACI Security Solution

• Cisco APIC Layer 4 to Layer 7 Services Deployment Guide

• Cisco APIC Product Support

• Cisco ASA Series Roadmap

• Cisco Firepower Management Center