Cisco ASA 5500 Series Adaptive Security Appliances

This document answers frequently asked questions about the Cisco ASA 5500 Series Adaptive Security Appliance.

A. Yes, the number of active NAT translations (xlates) is capped by the available memory, not the concurrent connection limit for the platform.

Note: This content was created by Andrew Ossipov, Cisco TAC Engineer.

A. No, a transparent mode ASA must be configured with an IP address for each Layer 2 bridge group.

Besides using the IP for any traffic sourced from the ASA, the ASA must ARP or send out an ICMP message in order to determine out of which interface the destination MAC resides (if the MAC address is not in the ASA CAM table). Without a valid IP address assigned to the ASA that is in the same IP subnet as adjacent devices, traffic might fail to pass through the transparent ASA since the ARP and ICMP process cannot complete.

Note: This content was created by David White, Cisco TAC Engineer.

A. When you run the url-block url-mempool 10240 command, you might receive the error shown in this sample code:

ciscoasa(config)# url-block url-mempool 10240
Memory pool size is not valid
Allowed range from 2 to 512

The maximum URL buffer memory pool (url-mempool) size is set to 10240 KB in single mode ASA. However, in multiple mode, each context can only have a maximum of 512 KB allocated to the url-mempool. This maximum value is hardcoded and cannot be changed.

Note: The maximum allowed URL size (configured using the url-block url-size command) has to be less than the url-mempool size. As a result, before increasing the url-size value, increase the url-mempool value depending on the mode the ASA is running.

Note: This content was created by Prapanch Ramamoorthy, Cisco TAC Engineer.