i need to defince an ACL policy for 4000 hosts in my transparent firewall.
What is the best practise ?
i am thinking of implementing network object per host. And define the object group accesslist for them all.
Or is there any other way....
Solved! Go to Solution.
Just curious to know why you would need to create ACL for 4000 hosts? Is each host going to have different policies hence the requirement to create 4000 hosts? Are you able to merge those hosts into network/subnet so you don't have to create 4000 hosts ACL?
If each host will have different policies, then I would suggest that you just name the host via the "name" command. However, if some hosts will have the same policies, then it would best to group all the hosts in 1 network object, and reference the network object in the ACL to simplify the ACL.
Thanks for your Reply.
Actually these addresses are the Electrical substations of a district which would start communicating on IP for station updates. Since this is a new implementation, i wanted to be sure that my ASA 5510 (256mbRAM) could accomodate these addresses through access list.
Right now only 20 substations(addresses) have come up. But eventually it would amount to 4000.
However, all these addresses will have the same policies.
As per your advice i would group all of them under one network group (DISTRICT NAME) and then apply appropriate policy as per the accesslist
But my another question is. If i provide 4000 network objects in the coming months, how would affect my ASA. Wouldnt there be any CPU overload or something...
It really depends on the rest of the ASA configuration as well as whether you are configuring port specific ACL for the 4000 hosts, and how many interfaces you are applying the ACL on. The ACL grows if you configure multiple ports per ACE. Plus also how busy the ASA is, ie: how many connections are being built per second through the ASA, etc.
Permit TCP/80 and TCP/443 for Host-A and Host-B, even if you group Host-A and Host-B into 1 network object group, and group TCP/80 and TCP/443 into 1 service object group to create just 1 line of ACL, that actually consists of 4 lines of ACL.
Well its a transparent firewall. Same subnet in and out. The substations will communicate on one port only. Nothing much. There is nothing else configured on the FW. Its new and meant to be utilised for this purpose only.
I have not started implementing the objects. Its just the hardware i am worried about.