cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1976
Views
0
Helpful
7
Replies

ASA Maximum No. of IP addresses?

CHIEN-HSING WU
Level 1
Level 1

Hi,

Does anyone know the maximum number of IP addresses allowed in a ASA appliance?

The IP addresses would be source or destination addresses used in all policies in a ASA appliance.

Where can I find this information?

Thanks.

Regards,

David Wu

1 Accepted Solution

Accepted Solutions

Hi David,

There is no limit to the number of IP Addresses that needs to pass traffic through the firewall for the ASA model.

You only need to check the concurrent session, throughput and maximum connections for each model.

Are they planning to configure different rules for each of the 18,000 clients?

View solution in original post

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

What do you mean? I don't think there is any limitation on the number of maximum ip addresses allowed through an ASA appliance.

Which model of ASA do you have?

Here is the model comparison:

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

(it has the number of maximum firewall connections, but not number of IP Addresses as one IP Address can make multiple connections).

Hi, Jennifer:

One of my customer asked me the question about the no. of IP addresses in a ASA appliance.

His requirement is 18,000 client IP addresses, 12 TCP/UDP ports per client in worst case.

He want to replace their firewalls, and he found the Fortigate has the limit of addresses per unit/per VDOM.

http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-max-values-40-mr3.pdf

See page 17 in the above URL.

The ASA 5525X is suitable for the production traffic capacity and concurrent sessions.

But I need to confirm the supported IP addresses per ASA appliance.

If there is similar limit in ASA, then a L4 redirect switch soultion is required.

Thanks your reply.

Regards,

David Wu

Hi David,

There is no limit to the number of IP Addresses that needs to pass traffic through the firewall for the ASA model.

You only need to check the concurrent session, throughput and maximum connections for each model.

Are they planning to configure different rules for each of the 18,000 clients?

Hi, Jennifer:

Thanks.

Yes, my customer is planning to configure 18,000 rules, even more in the future.

I don't know how to name the client device in English, it's a terminal for credit card payment.

So, every terminal has a unique private IP address, connecting to banks through MPLS VPN.

The firewall is in the middle way between terminals and bank routers.

But, I also recommend my customer to try to use subnets for each bank.

It's not a easy work.

Regards,

David Wu

Wow, I am sure all the credit card terminal would have the same rules, right? If they are all having the same rule, why would you configure 18,000 rules of exactly the same one?

The number of ACL that can be configured is dependant upon the memory available and how big the rest of the configuration is. Also if they are all the same rules, it makes sense to put them into the same subnet or group them, otherwise, it can consume more memory for the ASA to go through the long list of ACL, especially if they are all having the same rule.

But 18,000 rules on ASA5525X is not a problem at all.

Hi, Jennifer:

My customer has historical baggage. Their secuity policy is to control each terminal, because the terminal may remain connected to network after revoking the service.

It's great to hear ASA doesn't have the limit like Fortigate. And, you are right the same rules for each bank.

Thanks your reply quickly.

Regards,

David Wu

Review Cisco Networking for a $25 gift card