Can anyone explain to me in what exactly the 10host limit of a basic license means? Does the limit apply on the number of hosts allowed to be assigned an internal IP, or is the limit applied on the NAT connections to the outside world?
it means that only 10 hosts can go through the firewall making an connection entry, which means yes only 10 host scan go out to the internet
Its the max no of simultaneous connection that can exist through the asa at any point. or, in other words, It means there are 10 active hosts behind the firewall. The 'behind' is counted as all the interfaces except the one out of which the default route exists.
The current no. of hosts counted towards license is displayed in the beginning of "show local-host" o/p
Hope that answers your query.
Adding a bit more to Manisha's snippet
For the purposes of node accounting, ASA system module must count nodes on all interfaces except the interface or interfaces with the lowest security level. If there is more than one interface (but not all) with the lowest security level, ASA system module must exclude from the node accounting all of the lowest security level interfaces. If all interfaces are at the same security level, ASA system module must count all interfaces. In multi mode ASA system module applies this algorithm to each context, and the total daily node is the sum of all contexts.
NOTE*:ASA must use the notion of nodes for enforcement of user licenses, where a node is defined as a distinct source IP address or the address of a device that is internal to the enterprise
Ok so based on the answers, it sounds like it means "10 active simultaneous TCP connections can cross from one VLAN to another at any given time". If this is the case, I do have a few follow-up questions:
- Does this mean we can assign as many IPs as we want on the inside VLAN? (i.e.: one system with 100 IPs) as long as only 10 connections are crossing from one VLAN to another?
- Does this mean that even once the 10 active simultaneous connections are reached, hosts within the same VLAN can still communicate with each other at will (since it doesn't get routed to another VLAN)
- Would there be a limit on the number of MACs which can be on the inside VLAN? i.e.: an ASA5505 only has 8 ports, but what if one of those machines is running VMs? Will it be a problem having more than 10 different MACs on the inside VLAN?
- Will the ASA accept multiple (i.e.: >10) static xlate connection if my license is only a basic one?
It does not really care how many hosts you have in each vlan. The trick here is that only 10 hosts can do connections to the outside world or the other vlan, it is not based on just 10 tcp connections. 1 host can have as much as connections he wants, the problem is that when you reach to 10 hosts, the number 11 is not going to be able to go out to the other vlans.
But basically to answer your questions, you can have as much host as you want on each vlan, only 10 can go through the ASA to the other vlans.
Hope this makes sense.
It's very late right now so sorry for the question...
How exactly does the ASA counts the 10 hosts?
The reason I ask is because I used to think that the ASA counted the IPs for the hosts (10 hosts = 10 IPs)
But what if there's a PAT device between the hosts and the ASA? The ASA will see the 300 hosts that I have as a single IP.
I know the ASA is not stupid to think there's a single host when really having 300 being PATed, so I want to ask how exactly the ASA counts up to 10 hosts?
Thank you all,
Even if there is a patting device that does patting, for each patted IP address, the ASA maintains a connection entry in its state table. It uses source ip, destination ip, source port , destination port and protocol to indentofy each flow.
So, once 10 patted IP connections are made through the asa, the ones coming in after that are dropped.
hope that answers your query.
Fredrico/Manisha....I am afraid thats not true, like I said earlier ASA uses the notion of nodes for enforcement of user licenses, where a node is defined as a distinct source IP address. This means that ASA/w (10 user limit license) in no ways can track machines>10 different IPs coming from behind a PAT address, ASA will see it coming from one single node (i.e from PAT address) and allow the traffic through.
Hmmmm that makes more sense but still something I don't understand...
If i'm limited because I purchased an ASA 5505 with 10-user license, does it mean that I can have a PAT device in between and have X number of machines (let's say a 100) going through the ASA at the same time???
Does not make much sense having to purchase a 50-user or unlimited license right?
Lets say that you have a host on the inside, and he is a massive server that has N connections to the outside, how would the firewall now if that is a PAT device or just a Server?
On the local host count it will do as 1 only.
>If i'm limited because I purchased an ASA 5505 with 10-user license, does it mean that I can have a PAT device in between and have X number of >machines (let's say a 100) going through the ASA at the same time???
>Does not make much sense having to purchase a 50-user or unlimited license right?
Answer--->Whats the better deal for 20 different hosts to go out (lets say)
a) Purchase a 50 user license on ASA Vs,
b)Purchase ASA/w 10 user license + Purchase a router X that may do Patting, now this router X better be a good one,costly enough not just to do patting but also protocol inspection to support voice/media/audio traffic on patting
I would choose deal a# anyday
Don't get me wrong I agree with you... I was saying that in case you happen to have a PAT device you can then use it to trick the ASA to allow more than 10 hosts through it.
>>> Hello Federico,
>>> Lets say that you have a host on the inside, and he is a massive server that has N connections to the outside, how would the firewall now if that is a PAT device or just a Server?
>>> On the local host count it will do as 1 only.
If I have 10 PCs behind the ASA, the ASA won't care how many connections each PC makes correct?
You can have a server doing many connections and regular PCs just browsing for example.
The ASA will still put the limit to 10 PCs to go through (regardless the amount of connections each one has).
If you have a PAT device in between, the ASA will only see connections.
The ASA will see a single XLATE and many connections all coming from the PAT IP.
How is the 10-user limit related to the PAT example then?
I guess the answer is that technically there can be 10 devices doing PAT behind the ASA 5505 with Base License and behind each PAT device you can have many computers and the ASA will only count each PAT device as a single host.
So, the 10-user license is not really 10-user is 10 IP addresses behind the ASA (which could very well be a lot more of 10 devices).
You are totally right. 10 PAT devices will complete the 10 inside host license, no matter how many host you have behind those.
Saying xlates is incorrect, You can have 10 local-hosts build up on the inside network, they can have as much translations as they want. You can check how many host are currently on by doing sh resource usage and the command sh local-host | inc local host:
Thank you for your response and I agree that the correct term to use is local-hosts instead of xlates.
But isn't it true that with a 10-user license there's no possibility of having more than 10 xlates at any given moment?
I mean.. the correct term is local-host but it's true that there can never be more than 10 xlates correct?
Not really, You can have policy NAT say for going to google or something like that and then, the rest of the traffic going to the internet will translate to a PAT or something, that way you will be able to see 2 xlates for that host (And if you are doing PAT it will not be just 1 xlate that is being built per connection)