Adding an Extended Access List
Maximum Number of ACEs
The FWSM supports a maximum number of ACEs for the entire system. See the
on page A-6
Some access lists use more memory than others, and these include access lists that use large port number
ranges or overlapping networks (for example one ACE specifies 10.0.0.0/8 and another specifies
10.1.1.0/24, resulting in ACEs with overlapping networks). Depending on the type of access list, the
actual limit the system can support will be less than the maximum.
If you use object groups in ACEs, the number of actual ACEs that you enter is fewer, but the number of
expanded ACEs is the same as without object groups, and expanded ACEs count towards the system
limit. To view the number of expanded ACEs in an access list, enter the show access-list command.
When you add an ACE, and the FWSM commits the access list, the console displays the memory used
in a message similar to the following:
Access Rules Download Complete: Memory Utilization: < 1%
If you exceed the memory limitations, you receive an error message and a system log message (106024),
and all the access lists that were added in this commitment are removed from the configuration. Only the
set of access lists that were successfully committed in the previous commitment are used. For example,
if you paste 1000 ACEs at the prompt, and the last ACE exceeds the memory limitations, all 1000 ACEs
are rejected.
Adding an Extended Access List
This section describes how to add an extended access list, and includes the following topics:
•
•
•
Extended Access List Overview
An extended access list is made up of one or more ACEs, in which you can specify the line number to
insert the ACE, source and destination addresses, and, depending on the ACE type, the protocol, the
ports (for TCP or UDP), or the ICMP type (for ICMP). You can identify all of these parameters within
the access-list command, or you can use object groups for each parameter. This section describes how
to identify the parameters within the command. To use object groups, see the
with Object Grouping" section on page
For information about logging options that you can add to the end of the ACE, see the
List Activity" section on page
Extended Access List Activation" section on page
For TCP and UDP connections for both routed and transparent mode, you do not need an access list to
allow returning traffic, because the FWSM allows all returning traffic for established, bidirectional
connections. For connectionless protocols such as ICMP, however, the FWSM establishes unidirectional
sessions, so you either need access lists to allow ICMP in both directions (by applying access lists to the
source and destination interfaces), or you need to enable the ICMP inspection engine. The ICMP
inspection engine treats ICMP sessions as bidirectional connections.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
13-6
for detailed information about rule limits, including for ACEs and other types of rules.
Extended Access List Overview, page 13-6
Allowing Broadcast and Multicast Traffic through the Transparent Firewall, page 13-7
Adding an Extended ACE, page 13-7
13-11.
13-25. For information about time range options, see
13-24.
Chapter 13
Identifying Traffic with Access Lists
"Rule Limits" section
"Simplifying Access Lists
"Logging Access
"Scheduling
OL-20748-01