object and object group limits - context firewall

lkadlik · ‎08-17-2017

Hi,

I have a cisco 5585, software version 9.5(2)2 running in context mode.

Could someone please tell me the maximum number of objects I can have in a single context firewall, the maximum number of objects I can have in an object group in a single context firewall and how many object groups I can have in each acl?

Also, is it possible to block IP address ranges by geographical region versus ip host or cidr block addresses?

Thank you.

Aditya Ganjoo · ‎08-17-2017

Hi,

There is no limit for configuring objects in a single context ASA.

However, there is a limitation on the number of access-control elements on a specific hardware.

There is no hard-coded limit on the number of elements (access control entries) in an ACL, which is bound only by memory. Each ACE uses a minimum of 212 bytes of RAM. However maximum performance may decrease (typically by 10 to 15 percent as you reach or exceed the recommended maximum number of ACEs.

Please check the link for ASA 5585 ( Section: What is the maximum ACL limit on ASA)?

https://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-appliance-asa-software/qa_c67-731962.html

Also, is it possible to block IP address ranges by geographical region versus ip host or cidr block addresses?

On ASA you can only use CIDR block to block IP address, only if use Sourcefire module on ASA you would be able to block on geographical region.

Regards,

Aditya

Please rate helpful and mark correct answers