ASA5505 10-User VS. Unlimited

Answered Question
Dec 26th, 2008

Is the only difference between these 2 models that fact that the 10 User is limited to 10 external translations?


Thanks,


Jason

Correct Answer by JORGE RODRIGUEZ about 8 years 1 month ago

Killian, good link.


sometimes those little small prints have to read few times..


In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN).


above is understood , this is outbound and makes perfect sence.



Internet hosts are not counted towards the limit.


Although it does not specify this is most logical answer assuming internet hosts are inbound connections sourced from the outside.


I will definatly put that to the test next time.

Correct Answer by kmccourt about 8 years 1 month ago

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/license.html#wp1121587


The table above gives a fairly clear description of the different ASA5505 license features.


"In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit."

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
JORGE RODRIGUEZ Fri, 12/26/2008 - 09:19

Jason,


As far as I know 10 user license will allow for only 10 concurrent outbound connections. I did have a ASA-5505 10 user license testing it with only one inside host, while making several outbound connections to different destinations any other connection after 10 would not occur with error message user license exceeded..


Best is to upgrade for another $400 Security plus license to unlock that limitation. Not only will you have unlimited inside hosts but DMZ and VLAN support unloked.


Rgards


jbeltrame Fri, 12/26/2008 - 11:53

Now, inbound requests from the Internet would not count against this limit, correct? I am thinking of using this as a low end firewall for websites with minimal traffic.

JORGE RODRIGUEZ Fri, 12/26/2008 - 12:35

Although I never tested it that way I am not 100% sure if this limitation applies for many outside to one inside, I suspect it may have this limication since the reply from the inside will be to many outside.. if you do have the fw already you may want to test that.



jbeltrame Mon, 12/29/2008 - 11:05

Hmm...yeah I don't have one to test with, just unlimited. Cisco's site seems to show only connections initiated from the inside out count towards limit, and unlimited from the Internet. This supports the 10,000 max concurrent limits imposed on the asa5505. Its strange, i've seen posts saying its a limit on xlates, limit on hosts, limit on connections inbound, limits on connections in both directions.

Correct Answer
kmccourt Mon, 12/29/2008 - 14:41

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/license.html#wp1121587


The table above gives a fairly clear description of the different ASA5505 license features.


"In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit."

Correct Answer
JORGE RODRIGUEZ Mon, 12/29/2008 - 15:20

Killian, good link.


sometimes those little small prints have to read few times..


In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN).


above is understood , this is outbound and makes perfect sence.



Internet hosts are not counted towards the limit.


Although it does not specify this is most logical answer assuming internet hosts are inbound connections sourced from the outside.


I will definatly put that to the test next time.

seth.rose Wed, 08/19/2009 - 08:20

so I have an ASA5505 for home use and initially bought the box with a base license. I realized that the 10 user limit wasn't going to cut it for me as I'm wanting to re-design my home network that will incorporate at least 20 devices on the inside.


I decided to buy the Security Plus license, thinking I was going to get the unlimited users. It upgraded everything else as far as unlocking the 20 vlans and being allowed to trunk ports now, but the only thing that didn't change was my inside hosts. After $531 dollar Security Plus license, I still only have 10 inside hosts.


Needless to say I'm a little frustrated and have opened a TAC case with Cisco only to be tossed around and told 3 different times that my license should have upgraded me to unlimited and 2 other times that my license will not upgrade me to unlimited and keep me at the 10 inside hosts...


I took it a step further and asked Cisco's Global Licensing department to tell me what the Serial # is of the license I need to ONLY upgrade the Inside hosts now that I've already gotten everything else upgraded from the Security Plus license. They keep telling me that they have no idea and I need to talk to my Cisco account rep. I've talked to 5 of them and each one says they have no clue about how to upgrade ONLY the inside hosts.


I don't want to pay $950 bucks for a SEC-BUN-K9 license that I know will upgrade me with everything, when I already paid $531 for the Security Plus license and didn't do what I thought I was getting.


Does anyone have any information on how to get an upgraded license that only upgrades the inside hosts? Also, this might sound nuts, but I asked Cisco if there was a way to revoke my license in my ASA as buy.com is saying I can RMA the license back to them, but when I ask them how they will revoke it from my box, they don't reply. So I"m not sure if I should send it back or just hang on to it and frown upon the fact that I got some bad information and spent alot of money.


Any help is greatly appreciated!

kwillacey Wed, 08/19/2009 - 12:40

I had the same issue the security plus license does not upgrade the users I thought that strange but that's how they do it. I just assumed that since the security plus bundle gave unlimited users that the security plus license would do the same. Check out the link below you can see that even with the security plus license the user licenses are optional.


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wp1306150


What you will need is an upgrade license from 10 users to unlimited. Here is the part number ASA5505-SW-10-UL=, the MSRP is US$500. Hope that helps.

seth.rose Wed, 08/19/2009 - 20:57

this is great information and exactly what I was looking for. I do have a ? to see if you or anyone else knows, but I noticed they have a license that doesn't look to be an upgrade license and it's cheaper for both 50 and UL, but I'm wondering if you can use this license on a unit that already has a previous inside host count, in my case 10?


Here's what I found:


ASA5505-SW-10-UL - $319.62

ASA5505-SW-UL - $255.70

ASA5505-SW-10-50 - $228.99

ASA5505-SW-50 - $159.81


It's cheaper to go the route of just getting the "ASA5505-SW-UL" or the "ASA5505-SW-50" so I'm wondering if since I already have the 10 inside hosts, that I have to go with either "ASA5505-SW-10-UL" or "ASA5505-SW-10-UL"?


Thanks!


kmccourt Wed, 08/19/2009 - 22:13

I have never seen clarification about what exactly these different licenses mean, but any user upgrades I have done to an ASA 5505 have been with either ASA5505-SW-10-50 or ASA5505-SW-10-UL.

binaryops Fri, 08/21/2009 - 11:04

Ok, well thanks for the help man! I'm still doing some research and trying to decide which route I'm going to go down. I have a feeling I'm going to do the ASA5505-SW-10-50 as I re-designed my network in visio to see exactly how many inside hosts I have and could potentially have years down the line. The 50 user licese should be sufficient, but I'm notorious for thinking, "eh, spend the extra 100 bucks and get it all"...lol


Thanks!


Actions

This Discussion