Number Access-list on ASA 5512-x

_Ratha_ · ‎07-03-2017

Dear all,

What is the maximum number of Access-list rule are support on ASA 5512-x?

Dinesh Moudgil · ‎07-03-2017

Hi Ratha,

ASA 5512-x supports a maximum of 100K access-list elements.

To check number of elements, run the command:
show access-list | in elements

Check "show resource usage" as well for other parameters

Regards
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

_Ratha_ · ‎07-03-2017

Hi Dinesh Moudgil,

As got experience from my team, he said that when using asa 1K element can cause network connection slow. do you this is possible?

one more this ASA will you with FirePower when I using over 1K element could it cause slow connection?

Regards,

Ratha

Dinesh Moudgil · ‎07-03-2017

Hi Ratha,

Yes, it can lead to issues. But I'd like to confirm if there is really a need of having so many access-list elements. I'd suggest, irrespective of the setup that you are using, that you optimize your configuration to not have so many access-list elements. You can either move to a bigger platform ASA5515-x which can support 200K access-list elements.

You can use transactional commit model and OGS for optimizing access-lists
Ref:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/access-rules.html
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/access_rules.html#pgfId-1270273

Regards
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/