How do I configure the NAT on the ASA5505 so I don't run out of licenses?

Unanswered Question
Apr 28th, 2008

Question: When I connect to the ASA5505 using Cisco AnyConnect VPN Client using a different outside IP address I almost immediately runs out of connections. This also happens if I use the SSL VPN Client. I only have the 10 licenses for the box with the base license. If I do a show local-host it only shows two or three local connections and a lot of outside connections. If I disconnect the VPN the ASA5505 goes back to normal. I was on 8.03 but put the software back to 8.02. I'm also running Cisco AnyConnect SSL Client version for Windows 2.0.0343. I can browse the Internet until I get the message in the ASDM syslog console.


I've listed the routes at the bottom. The AnyConnect software connects and picks the outside gateway as it's default route and this is why I'm getting out of connections but I don't know how to fix.


The document I used to configure this shows the NAT to be like this.


global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 10.1.2.0 255.255.255.0 dns outside


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080972e4f.shtml


4 Apr 24 2008 12:33:31 450001 198.60.22.121 Deny traffic for protocol 6 src outside:10.1.2.30/1954 dst outside:198.60.22.121/80, licensed host limit of 10 exceeded.


I m also getting this from the log, but if there are license the connections works and I can browse the Internet.


3 Apr 24 2008 12:24:56 305005 10.1.2.30 No translation group found for icmp src inside:10.1.2.2 dst outside:10.1.2.30 (type 8, code 0)

3 Apr 24 2008 12:24:02 305006 10.1.2.255 portmap translation creation failed for udp src outside:10.1.2.30/137 dst inside:10.1.2.255/137


ASA5505# show local-host

Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 10, towards licensed host limit of: 10 Interface outside: 76 active, 82 maximum active, 42 denied




Xlate: PAT Global 76.27.13.62(1206) Local 10.1.2.2(2566)

PAT Global 76.27.13.62(1147) Local 10.1.2.2(2474)


Conn: TCP out 8.7.28.35:80 in 10.1.2.2:2566 idle 0:02:35 bytes 22932 flags UIO

TCP out 216.246.122.34:80 in 10.1.2.2:2474 idle 0:30:17 bytes 309179 flags UFIO Interface

_internal_loopback: 0 active, 0 maximum active, 0 denied



ASA5505# show route

Gateway of last resort is 76.27.8.1 to network 0.0.0.0

C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C 76.27.13.62 255.255.254.0 is directly connected, outside

C 10.1.2.0 255.255.255.0 is directly connected, inside

S 10.1.1.0 255.255.255.0 [1/0] via 10.1.2.2, inside

S 10.1.2.35 255.255.255.255 [1/0] via 76.27.8.1, outside

d* 0.0.0.0 0.0.0.0 [1/0] via 76.27.8.1, outside


Routes when not connected using AnyConnect software on ASA


ASA5505# show route

Gateway of last resort is 76.27.8.1 to network 0.0.0.0

C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C 76.27.13.62 255.255.254.0 is directly connected, outside

C 10.1.2.0 255.255.255.0 is directly connected, inside

S 10.1.1.0 255.255.255.0 [1/0] via 10.1.2.2, inside

d* 0.0.0.0 0.0.0.0 [1/0] via 76.27.8.1, outside

ASA5505#


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion