ASA 5505: "Inside Hosts" count if layer 3 switch connected

Answered Question
Jul 29th, 2009
User Badges:

Working with a base model 5505 appliance where the number of "Inside Hosts" allowed = 10.


Have discovered that the ASA 5505 is very literal when counting the number of "inside" hosts and will refuse to route traffic for any host connected after the licensed number of hosts is reached (in this case 10).


My question is: If a layer 3 switch (with say 20 hosts attached) is connected to the 5510 as a routed, inside host, does the 5510 view this as 1 host or 21 hosts (layer 3 address of switch + 20)?


Correct Answer by jeliasoncisco about 7 years 11 months ago

Hi. The 5505 connected to the layer 3 switch will see all ip addresses and block any over the 10. in order to do something different you could put a router that performs NAT/PAT behind the ASA, but this defeats the purpose and places a lot of restrictions. Best of luck.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
vmilanov Wed, 07/29/2009 - 16:33
User Badges:

no chance for that cheat, you will rather need a gateway with NAT - that is one host.


Also, ASA counts all the host on all the interfaces it has (they are vlan interfaces), except the one that is pointer as default gateway. So, if it happens, that you do not have default route installed, the ASA takes account of host on the outside interface as well.


HTH


Regards,

Vasil

goodwinscott Wed, 07/29/2009 - 21:54
User Badges:

Have no intention or interest in avoiding the purchase of required licenses. In this particular application an additional access switch is required anyway. We are simply attempting to ascertain whether or not additional licenses must be purchased to resolve the random denial of service problem at this location.


And I trust your use of the term "cheat" was in reference to a work-around, or potential solution...

vmilanov Thu, 07/30/2009 - 13:55
User Badges:

Hi,

Sorry, I was not trying to offense you. What I tried to say is that in your scenario 10 hosts are no more than 10 hosts. Even worst - you may have less than this number of hosts, but in certain circumstances the ASA may block your inside hosts, even if they are less than the licensing limitation. In this case I personally think that ASA "cheats". But this is the way that it works.


Regards,

Vasil

jeliasoncisco Thu, 07/30/2009 - 15:30
User Badges:

Hello. In regards to your 10 hosts and the 32 DHCP. The ASA will serve multiple IP address, up to 32 to the local LAN. The issue that exists with hosts is the machines that need to translate to the internet. Only 10 would be allowed, but you may have many IP addresses, like printers, etc. That may exist.

Correct Answer
jeliasoncisco Wed, 07/29/2009 - 20:21
User Badges:

Hi. The 5505 connected to the layer 3 switch will see all ip addresses and block any over the 10. in order to do something different you could put a router that performs NAT/PAT behind the ASA, but this defeats the purpose and places a lot of restrictions. Best of luck.

goodwinscott Wed, 07/29/2009 - 21:26
User Badges:

Thank you, this is what I was looking for. Having scoured the support site for detail on HOW the "Inside Hosts" limitation is actually implemented, available documentation seems to lack detail and is ambiguous at best. For example, the document below refers to a maximum of 32 DHCP clients when using a 10-user license. How is this possible?

No mention of how or when inside hosts that are no longer connected are removed from the count etc...


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wp1301770


“For a 10-user license, the max. DHCP clients is 32. For 50 users, the max. is 128. For unlimited users, the max. is 250, which is the max. for other models.”


“In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits.”


AlphagJohn Tue, 08/25/2009 - 17:28
User Badges:

This has been a really valuable thread to read; as I must say, your assessment that the "available documentation ... lack[s] detail and is ambiguous at best" is, if anything, generous. There's no justification for the level of uncertainty the average buyer is faced with trying to decide what type of license is needed.


I can offer some clarification on one point:

Your question about "How is this possible?" regarding this documentation statement:

“For a 10-user license, the max. DHCP clients is 32. For 50 users, the max. is 128. For unlimited users, the max. is 250, which is the max. for other models.”


The way this is implemented is that you can only have the indicated number of IPs in the pool for the DHCP server that's built into the ASA. That is, on my base 5505 (10 inside hosts), the biggest DHCP pool I can define is 32 IPs--if you try to put in a larger range, it just rejects it. I haven't tried putting say 16 on an inside address and 16 on a dmz address, but that *might* work (not sure how sophisticated it is). Now, I also have a wireless access point/router that does NAT/PAT and it gives me a much larger pool--so, in my case, where many of my devices' NICs do not have public IPs, I have no significant practical limit on the number of devices that can "see out" to the Internet via NAT/PAT through the ASA, but only 10 IPs visible from the Internet. Some of those NAT/PAT addresses are available directly off the ASA's DHCP server and a whole different subnet is available from the WLAN router's DHCP server. My understanding is that only public IPs count as "inside hosts."


(Maybe this will be useful to someone; I trust I didn't simply muddy the waters.)

Actions

This Discussion