11-23-2007 10:26 AM - edited 02-21-2020 01:48 AM
ASA5505 8.0(2) with standard license.
1 server
1 SSL VPN AnyConnect client
1 outside interface
Since my SSL VPN client sets the default route I thought I try to reach internet via my ASA.
"Deny traffic for protocol 6 src outside:10.200.0.10/2489 dst outside:87.248.113.14/80, licensed host limit of 10 exceeded"
10.200.0.10 being my SSL VPN client.
I understand how (outside vpn) -> (outside) NAT might be a problem but why is the license check being triggered?
Any ideas on how to get SSL VPN NAT'ed to outside?
TIA
11-23-2007 03:44 PM
You would need at least to upgrade your license to brake the 10 users limitation with ASA5505-50-BUN-K9. Outbound vpn/ssl is within the 10 user license limitation How many concurrent users/connections do you have?
Reref to this link for detail information. http://www.cisco.com/en/US/products/ps6120/prod_brochure0900aecd80402e36.html
Pls rate any helpful posts !
HTH
Jorge
06-28-2012 07:37 AM
Thanks for that slick Jorge.
12-03-2007 02:18 PM
Do a 'show ver' and see what your webvpn peers license is.
If you do a 'show vpn-sessiondb summary' you can see how many sessions are currently in use for sslvpn and whether that exceeds the webvpn peers line in your 'show ver'
--Jason
12-04-2007 03:42 AM
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Advanced Endpoint Assessment : Disabled
This platform has a Base license.
...
Active Session Summary
Sessions:
Active : Cumulative : Peak Concurrent
SSL VPN : 1 : 22 : 2
Clientless only : 0 : 10 : 2
With client : 1 : 12 : 1
Email Proxy : 0 : 0 : 0
IPsec LAN-to-LAN : 0 : 0 : 0
IPsec Remote Access : 0 : 0 : 0
Totals : 1 : 22
License Information:
IPsec : 10 Configured : 10 Active : 0 Load : 0%
SSL VPN : 2 Configured : 2 Active : 1 Load : 50%
Total : 12 Configured : 12 Active : 1 Load : 8%
Active : Cumulative : Peak Concurrent
IPsec : 0 : 0 : 0
SSL VPN : 1 : 22 : 2
Totals : 1 : 22
Tunnels:
Active : Cumulative : Peak Concurrent
Clientless : 1 : 22 : 2
SSL-Tunnel : 1 : 14 : 1
DTLS-Tunnel : 0 : 2 : 1
Totals : 2 : 38
Active NAC Sessions:
No NAC sessions to display
Active VLAN Mapping Sessions:
No VLAN Mapping sessions to display
...
Only me, myself and I on this box so the license should be sufficient.
I get this rejection when I try to reach an IP beyond the default gw of my ASA from my AnyConnect client.
However if I try to reach something on the outside subnet it will send on the outside interface but without NAT'ing the source address( see attached capture)
12-10-2007 11:34 AM
Hello,
The problem is that you have a restricted license that says only 10 users (read, 10 IP addresses with packets going to/from them at a time on the highest security level interface). It's not a VPN license issue - you'll have to get a new license if you want to reach more than 10 machines on the inside of your network.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: