I'm trying to find out what the maximum amount of ACE's allowed to be entered in a Single ACL for the ASA5505 with Security + IOS. I've scoured the Internet, searched Cisco documentation and found nothing that would necessarily help me.
What I'm trying to find out is whether denying all IP traffic and only permitting US IP Subnets into my network is feasible or not.I've come up with a list of US IP's to be roughly 45800 subnets (accurate as of last month). So the inbound ACL in a nutshell would be "permit US subnets" "deny anything else"
That will at least keep the scan attacks down to a minimum and if they use proxies from US servers, I can address them as they try to attack my network.
Re: ASA5505 Security + IOS: Maximum ACE Allowance?
Thanks for the reply. I know at the 20K ACE limit, some ISP Grade routers run out of TCAMs (I believe they were Cisco12ks and ASR9010's) and basicaly once all TCAMs are allocated, any ACE's that didn't get loaded near the end of the ACL are not being actively filtered. I've read places across the net where a single ace is 173 bytes and it's all a factor of how much memory you have available for the ACE to be placed into the ASA; however, with my past issues with the routers, I find it hard to believe you can have 300k ACE's that would consume only 512MB of RAM. Even if it took them in memory, the CPU wouldn't be able to use that list for filtering in a timely manner.
There has to be a formula especially when you want to harden your firewall with a hefty ACL blocking country IP space or just allowing your country to talk inwards.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...