Ah. See, what I am trying to do is limit access to external services by a geoIPlocator script. Standard stuff w/ htaccess, iptables, and to build dynamically but I have never done this on an ASA. I want to refresh a network object group with about 34000 network objects monthly and corresponding ACL. So, if there isn't a hard limit on the number of network objects that leaves me about 63000 access lists that can be created with that specific object-group. If I follow what you are sayingâ¦
Just to add to kevin's point. On a FWSM there is a command to show the acl count in the hardware "sh np x ???". Talk to someone in TAC to find an equivalent command for ASA. That is a very useful command if you are worried about the scalability limits.
I'm not sure that would work because the limits on the FWSM are hard limits imposed by the hardware architecture whereas the limits on the pix boxes are soft limits ie. limits imposed by cpu/memory etc.
I tried to load a 515R, running 7.2.2, with just the network objects, no ACLs, and received nothing but memory allocation errors. The device was pretty much dead. I would receive memory allocation errors and the device would hang intermittently when just pinging it.
I upgraded the device to 8.0.3 and after loading up the 34000 network objects, the pix actually worked. None of the random memory allocation errors, the device didn't hang, and actually passed traffic. The problem came when i actually tried to create an ACL with the object-group, that's where I received memory allocation errors. But I believe that's just because I used all of the available memory.
Used memory reported after creating an ACL w/ object-group: 62007904 bytes (92%))
What's worse it looks like the pix allocated the memory, failed on creating the access-list and didn't give the memory back up.
Used memory before trying to create an ACL w/ object-group: 55402880 bytes (83%)
And with only 16MB of flash, I have a feeling,there probably isn't enough room to save the config once the ACLs are made with the corresponding object-groups.
Not having modified the ASA as extensively as the PIX I would assume that it will have the same issues with processing a higher number of network-objects and ACLs.
Should I forget trying this on the ASA/PIX and move to implement this on the edge routers?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :