ASA 5505 WAN access issues

Unanswered Question
Jun 5th, 2009
User Badges:

We recently bought another company that had an old PIX box (PIX-501, SW version 6.3(4) ) on their network. As that box was old and barely (if at all) upgradeable, we decided to replace it with an ASA 5505. I copied the config as closely as I could, and we tried it. What we found was that it worked for the most part, but for some reason only a limited number of people could access the internet. Looking at the ASDM graphs, I'm seeing several hundred NAT translations in use at any given time, with a max of around 1,200, and there is nothing showing up in the log above informational level. The device is set up to translate all inside addresses to two outside addresses using PAT, but so was the old PIX box, so I wouldn't think that would be the issue. Where would be the next place to look, given that the logs are unhelpful (unless I just need to increase the logging level from warnings)?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
John Blakley Fri, 06/05/2009 - 13:48
User Badges:
  • Purple, 4500 points or more

Since you said a limited number of people could get on, I'd make sure that you're licensed for enough people. The ASA will block outbound traffic when it meets its license threshold. The default, I believe, is 10 users.

Do a "sh ver" at the console, and you'll be able to see what you're licensed for. I'm not sure about ASDM, but you *might* be able to find it on the main page.



ibrewster Fri, 06/05/2009 - 14:37
User Badges:

Thanks for the response. This device has a standard license which, if I recall correctly (it's not online at the moment, due to it not working) says "Inside Hosts 50." is this the section you are referring to? If so, then why does it say it is doing over 300 NAT translations? Or is it that it makes the translation, but still blocks the traffic? One thing we have been unclear on through this whole process is what, exactly, that 50 inside hosts actually means. Looking at the license features on the other ASA box we have here (5510 with a security plus license and unlimited inside hosts), I don't see anything else that even possibly relates to internet traffic from inside.


This Discussion