As your number of rules increases, the CPU load will increase as well. While there is no hard and fast limit I have had experience with a PIX 535 becoming CPU bound due to the size of the ACLs applied coupled with the complicated NAT rules and hundreds of static routes. In this case, the firewall would occasionally hit max CPU usage during peak traffic periods and start discarding packets.
Deleting ACL entries and cleaning up the config solved the issue in that situation.
It is my understanding that the ASA uses around 20KB for an Access List Entry (ACE). So, the number of ACE really depends on the memory on the chassis and other features that are you planning to enable.
Below is the data sheet for the ASA that has information on various ASA platforms and memory.
adding to what has been said. I have found that many customers don't use object groups which can reduce the size of the ACLs substantially. The best approach is to create object groups, remove ACL with not hits, place the entries that are hited the most on the top of the ACL .. just my 20 cents ;-)
I have read somewhere that each element or ACL entry requires about 40-56 bytes but there is no limit specific as there is in the FWSM where is normal to get warnings if you have a huge amount on ACLs.
I would not consider normal or common on an ASA to have a problem regarding CPU/Memory due to ACL's. I have not seen it before
Hope that I could help
Looking for some Networking Assistance?
Contact me directly at firstname.lastname@example.org
I will fix your problem ASAP.
Julio Carvajal Segura
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...