This document answers frequently asked questions about the Cisco ASA 5500 Series Adaptive Security Appliance.
Q. On ASA, can I configure more static NAT entries than the maximum number of concurrent connections for the given platform?
A. Yes, the number of active NAT translations (xlates) is capped by the available memory, not the concurrent connection limit for the platform.
Note: This content was created by Andrew Ossipov, Cisco TAC Engineer.
A. No, a transparent mode ASA must be configured with an IP address for each Layer 2 bridge group.
Besides using the IP for any traffic sourced from the ASA, the ASA must ARP or send out an ICMP message in order to determine out of which interface the destination MAC resides (if the MAC address is not in the ASA CAM table). Without a valid IP address assigned to the ASA that is in the same IP subnet as adjacent devices, traffic might fail to pass through the transparent ASA since the ARP and ICMP process cannot complete.
Note: This content was created by David White, Cisco TAC Engineer.
Q. On ASA in multiple mode, why do I receive the Memory pool size is not valid Allowed range from 2 to 512 error message when I issue the "url-block url-mempool 10240" command?
A. When you run the url-block url-mempool 10240 command, you might receive the error shown in this sample code:ciscoasa(config)# url-block url-mempool 10240 Memory pool size is not valid Allowed range from 2 to 512
The maximum URL buffer memory pool (url-mempool) size is set to 10240 KB in single mode ASA. However, in multiple mode, each context can only have a maximum of 512 KB allocated to the url-mempool. This maximum value is hardcoded and cannot be changed.
Note: The maximum allowed URL size (configured using the url-block url-size command) has to be less than the url-mempool size. As a result, before increasing the url-size value, increase the url-mempool value depending on the mode the ASA is running.
Note: This content was created by Prapanch Ramamoorthy, Cisco TAC Engineer.
Q. Why am I unable to ping the inside interface of the ASA from a host connected to the outside interface of the ASA?
A. The default behavior of the ASA is to allow all ICMP traffic to the ASA interfaces. However, the ASA denies ICMP messages received at the outside interface for destinations on a protected interface.
Q. When performing LDAP authentication/authorization from an LDAP server on ASA, if a user has over 999 values for a single attribute, then the user authentication/authorization fails with this error message: %ASA-3-109035: Exceeded maximum number (999) of DAP attribute instances for user = <username>%ASA-6-113013: AAA unable to complete the request Error : reason = Invalid response received from server : user = <username>.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.