×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Deny traffic for local-host inside: license limit of 50 exceeded

Unanswered Question
Dec 18th, 2002
User Badges:

I have an interesting problem, if you will, with the licensing. My (small-to-medium) company recently purchased two PIX 500 series Firewalls. They act as endpoints for our VPN as well as the usual purposes. The PIX in question (the other is a 515 with no license limitations on hosts) is a PIX 501 3DES 50- User. Our setup is somewhat unique (I'm a pretty much a novice) where we are not using NAT. Meaning, of course, our PIX sees interesting traffic as fully qualified ip addresses and sends the packets though the VPN. We have an access-list tied to the VPN with a /26 address range. The netmask for the inside interface is also /26 (62 hosts) because /27 is just under what we require for our office network. However, when we are port scanned, the license always max-es out even though the access-list blocking port scans is on the outside interface and most of the hosts are non-existant. Can anyone shed some light on this matter for me?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ssoberlik Thu, 12/26/2002 - 07:44
User Badges:
  • Bronze, 100 points or more

The first thing is to be sure that the following conditions are met.

1) The PIX 501 comes with a 10 user or a 50 user license (10 or 50 concurrent source IP addresses) which specifies the maximum number of source addresses that are allowed behind the 501. Make sure that the number of users behind the 501 are less than or equal to the number specified by your licence.

2) Your The 501 can have a maximum of 5 VPN peers simultaneously (A maximum of 5 simultaneous VPN/IKE SA's supported). I guess this is not a problem here since your 501 has only one peer, the 515.

3) The 3DES License allows 3Des encryption on your PIX. Be sure to use the part number 'PIX-501-VPN-3DES' to get the 168-bit 3DES Software license for PIX 501. The minimum software version must be 6.1(1). I dont think that there are any limitations here in terms of numbers.


If all the conditions of Licencing above are satisfied, your problem quite possibley is not of licencing. I guess (and it's a wild guess) the problem could possibly be that the post scan is being seen as an attack and is the cause of the PIX behaving the way it is.

Actions

This Discussion