https://community.cisco.com/t5/network-security/object-and-object-group-limits-context-firewall/m-p/3096484#M133174 <P>Hi,</P> <P></P> <P>I have a cisco 5585, software version 9.5(2)2 running in context mode.&nbsp;</P> <P></P> <P>Could someone please tell me the maximum number of objects I can have in a single context firewall, the maximum number of objects I can have in an object group in a single context firewall and how many object groups I can have in each acl?</P> <P></P> <P>Also, is it possible to block IP address ranges by geographical region versus ip host or&nbsp; cidr block addresses?</P> <P></P> <P>Thank you.</P> <P></P> <P></P> <P></P> Tue, 12 Mar 2019 09:50:31 GMT lkadlik 2019-03-12T09:50:31Z https://community.cisco.com/t5/network-security/object-and-object-group-limits-context-firewall/m-p/3096484#M133174 <P>Hi,</P> <P></P> <P>I have a cisco 5585, software version 9.5(2)2 running in context mode.&nbsp;</P> <P></P> <P>Could someone please tell me the maximum number of objects I can have in a single context firewall, the maximum number of objects I can have in an object group in a single context firewall and how many object groups I can have in each acl?</P> <P></P> <P>Also, is it possible to block IP address ranges by geographical region versus ip host or&nbsp; cidr block addresses?</P> <P></P> <P>Thank you.</P> <P></P> <P></P> <P></P> Tue, 12 Mar 2019 09:50:31 GMT https://community.cisco.com/t5/network-security/object-and-object-group-limits-context-firewall/m-p/3096484#M133174 lkadlik 2019-03-12T09:50:31Z https://community.cisco.com/t5/network-security/object-and-object-group-limits-context-firewall/m-p/3096485#M133176 <P>Hi,</P> <P></P> <P>There is no limit for configuring objects in a single context ASA.</P> <P>However, there is a limitation on the number of access-control elements on a specific&nbsp;hardware.</P> <P><SPAN>There is no hard-coded limit on the number of elements (access control entries) in an ACL, which is bound only by memory. Each ACE uses a minimum of 212 bytes of RAM. However maximum performance may decrease (typically by 10 to 15 percent as you reach or exceed the recommended maximum number of ACEs.</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>Please check the link for ASA 5585 ( Section:&nbsp;</SPAN>What is the maximum ACL limit on ASA)?</P> <P><SPAN>https://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-appliance-asa-software/qa_c67-731962.html</SPAN></P> <P><SPAN></SPAN></P> <P>Also, is it possible to block IP address ranges by geographical region versus ip host <G class="gr_ gr_266 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" id="266" data-gr-id="266">or&nbsp; cidr</G> block addresses?</P> <P></P> <P>On ASA you can only use CIDR block to block IP address, only if use Sourcefire module on ASA you would be able to block on geographical region.</P> <P></P> <P></P> <P><SPAN></SPAN></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> <P><SPAN></SPAN></P> Fri, 18 Aug 2017 03:31:47 GMT https://community.cisco.com/t5/network-security/object-and-object-group-limits-context-firewall/m-p/3096485#M133176 Aditya Ganjoo 2017-08-18T03:31:47Z