Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
939
Views
0
Helpful
1
Replies

Deny traffic for local-host inside: license limit of 50 exceeded

brettm73
Level 1
Level 1

‎12-18-2002 08:45 AM - edited ‎02-20-2020 10:26 PM

I have an interesting problem, if you will, with the licensing. My (small-to-medium) company recently purchased two PIX 500 series Firewalls. They act as endpoints for our VPN as well as the usual purposes. The PIX in question (the other is a 515 with no license limitations on hosts) is a PIX 501 3DES 50- User. Our setup is somewhat unique (I'm a pretty much a novice) where we are not using NAT. Meaning, of course, our PIX sees interesting traffic as fully qualified ip addresses and sends the packets though the VPN. We have an access-list tied to the VPN with a /26 address range. The netmask for the inside interface is also /26 (62 hosts) because /27 is just under what we require for our office network. However, when we are port scanned, the license always max-es out even though the access-list blocking port scans is on the outside interface and most of the hosts are non-existant. Can anyone shed some light on this matter for me?

0 Helpful
1 Reply 1

ssoberlik
Level 4
Level 4

‎12-26-2002 07:44 AM

The first thing is to be sure that the following conditions are met.

1) The PIX 501 comes with a 10 user or a 50 user license (10 or 50 concurrent source IP addresses) which specifies the maximum number of source addresses that are allowed behind the 501. Make sure that the number of users behind the 501 are less than or equal to the number specified by your licence.

2) Your The 501 can have a maximum of 5 VPN peers simultaneously (A maximum of 5 simultaneous VPN/IKE SA's supported). I guess this is not a problem here since your 501 has only one peer, the 515.

3) The 3DES License allows 3Des encryption on your PIX. Be sure to use the part number 'PIX-501-VPN-3DES' to get the 168-bit 3DES Software license for PIX 501. The minimum software version must be 6.1(1). I dont think that there are any limitations here in terms of numbers.

If all the conditions of Licencing above are satisfied, your problem quite possibley is not of licencing. I guess (and it's a wild guess) the problem could possibly be that the post scan is being seen as an attack and is the cause of the PIX behaving the way it is.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card