Trouble with PIX 501 user limit?

zacmutrux · ‎05-12-2008

I have installed a Cisco PIX 501 at a client's site, and now a couple of weeks later we are having an issue where some computers cannot access the Internet. The PCs can ping the internal interface of the firewall, and can resolve hostnames. But about three of them cannot ping public IP addresses. I thought the arp cache might be corrupted on the switch, so we restarted that to no good effect.

I suspect that the client has somehow run up against the 10-user limit for their PIX 501 license.

The site has eight PCs and a server, so it doesn't seem like they should be going over the 10-user limit.

I'm not much of an expert when it comes to the PIX, so I wonder if someone can tell me how to determine whether this is the case, and maybe give me some tips on how to resolve the issue?

Thanks very much for any advice you can offer.

Best regards,

Zac

Danilo Dy · ‎05-12-2008

Hi,

Can you execute "show local-host" in your PIX 501 Firewall? It will show you how it use the 10-user license.

Regards,

Dandy

zacmutrux · ‎05-13-2008

Any chance you can help me make sense of this? Does it really look like we have exceeded the number of allowed connections by over 3400?

pixfirewall# show local-host

Interface inside: 10 active, 10 maximum active, 3493 denied

local host: <192.168.1.2>,

TCP connection count/limit = 12/unlimited

TCP embryonic count = 2

TCP intercept watermark = unlimited

UDP connection count/limit = 0/unlimited

AAA:

Xlate(s):

PAT Global 67.115.121.230(38600) Local 192.168.1.2(3553)

PAT Global 67.115.121.230(51033) Local 192.168.1.2(3215)

PAT Global 67.115.121.230(51037) Local 192.168.1.2(3230)

PAT Global 67.115.121.230(51050) Local 192.168.1.2(3271)

PAT Global 67.115.121.230(55215) Local 192.168.1.2(4084)

PAT Global 67.115.121.230(55228) Local 192.168.1.2(4136)

PAT Global 67.115.121.230(55231) Local 192.168.1.2(4139)

etc, etc.