Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA users license

Dear Sir,

i have a network connected to the internet with ISA and PIX as the following:


where the ISA is doing PAT to privates IP, and the PIX doing static NAT for the private IP of the ISA to real ip.

now i want to replace the PIX firewall with ASA anti-x bundle firewall.

i want to know that the ASA will consider the ISA as single user, or the ASA will consider the ISA as the total of users in the LAN.



Re: ASA users license

Hello anas,

it all depends on how you configure the NAT... if you are configuring a static for the ISA private IP to a public IP, the ASA will consider only a single NAT translation for these IP's.... this can be seen from the "show xlate" command...but depending on the user traffic, there can be multiple connections formed on the ASA.. this can be seen from the "show conn" command... so, it is straight forward, there will be one translation happening, but multiple connections for the same translation...

Hope this helps.. all the best.. rate replies if found useful..


New Member

Re: ASA users license

Thank you sir,

so i want to know the ASA treate the user as connection ar translation

In my scenarion the ISA is one translation and doing PAT, and it appear to the ASA as single IP with multiple connection from this IP


Re: ASA users license

Yes.. u are right.. the ISA does the PAT and hits the ASA with a single IP.. the ASA sees this as a single translation with huge number of connections, for eg, 1 user might access yahoo, another hotmail etc.... so, u will have a lot of connections on the "show conn" output...

but why do u need 2 firewalls here ?? cant the users directly sit on ASA inside interface ?? and if the ISA has to do some kinda proxying, let it act only as a proxy server on the inside LAN.. I think you can reconfigure your inside LAN, and the PCs can directly talk to ASA inside interface. Managing and troubleshooting becomes really easy then... with this setup, the http traffic goes to the ISA for proxy, and all other traffic directly goes to the ASA, which makes it much more simple.. Just my thought ...

Hope this helps.. if u need any more assistance, do reply.. or else close the case, which can be of help to others.. rate replies if found useful..