Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA 5505 10 user license?

Hi Team,

I have 10 user license for Cisco ASA, i have to use this ASA for client connectivity.

Can i do NAT of more than 10 users with this license? What i understand is NO.

But as per Below explaination looks like, i can if i am not doing default routing?

can any one exaplain?  Actually i just need to add a specific Route towards client DMZ interface on my ASA, no default route, so can i use more than 10 concurrent sessions with this license?

"

“In routed mode, hosts on the inside (Business and Home VLANs) count  towards the limit only when they communicate with the outside (Internet  VLAN). Internet hosts are not counted towards the limit. Hosts that  initiate traffic between Business and Home are also not counted towards  the limit. The interface associated with the default route is considered  to be the Internet interface. If there is no default route, hosts on  all interfaces are counted toward the limit. In transparent mode, the  interface with the lowest number of hosts is counted towards the host  limit. See the show local-host command to view host limits. “"

1 ACCEPTED SOLUTION

Accepted Solutions
Red

Re: Cisco ASA 5505 10 user license?

Hi Ahmad,

I guess this is what you might be looking for.

ASA-5505 License Information
Hosts  are counted against a license under the following conditions:
1. Inside host  initiates a connection to an outside host
2. Inside host initiates a  connection to a non-existant outside host
3. Outside host initiates a  connection to a valid inside host (which responds)
4. Inside host initiates a  connection to-the-box
Note: "Outside" is defined by the interface with the  default route.  All other interfaces are considered inside for licensing  purposes.  Only hosts residing out the interface with the default route are not  counted against the license.

Hosts are not counted against the license  under the following conditions:
1. Outside host initiates a connection to a  non-existant inside host
2. Outside host initiates a connection  to-the-box

The answer to your second question:

The ASA would count it as one host only.

Hope that helps.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
5 REPLIES
New Member

Cisco ASA 5505 10 user license?

Also, i have a router behind the ASA.

if i do natting All to 1 PAT on router and then traffic hit ASA. will ASA consider it 1 inside host?

Red

Re: Cisco ASA 5505 10 user license?

Hi Ahmad,

I guess this is what you might be looking for.

ASA-5505 License Information
Hosts  are counted against a license under the following conditions:
1. Inside host  initiates a connection to an outside host
2. Inside host initiates a  connection to a non-existant outside host
3. Outside host initiates a  connection to a valid inside host (which responds)
4. Inside host initiates a  connection to-the-box
Note: "Outside" is defined by the interface with the  default route.  All other interfaces are considered inside for licensing  purposes.  Only hosts residing out the interface with the default route are not  counted against the license.

Hosts are not counted against the license  under the following conditions:
1. Outside host initiates a connection to a  non-existant inside host
2. Outside host initiates a connection  to-the-box

The answer to your second question:

The ASA would count it as one host only.

Hope that helps.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Cisco ASA 5505 10 user license?

Thank you for the explaination.

One more Question if you can be specific in answer.

if i create INSIDE , OUTSIDE, DMZ interfaces.

and do routing only for INSIDE and DMZ interface , with no Default route towards OUTSIDE.

so can unlimitted hosts behind DMZ and INSIDE can communicate fine?

Since Host is only counted when traffic goes in/out to OUTSIDE interface?

Actuallyl situation is that, i have sent a Firewall already at client permisses, purpose of that firewall is not internet or default routing.

Just nat my 10.x.x.x to 1.1.1.1 when hitting client machines on 192.168.10.x segment.

so i thought if i am not going to outside interface then , i can cross 10 user limit?

Red

Cisco ASA 5505 10 user license?

Thats correct, dmz to inside should not be counted.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Cisco ASA 5505 10 user license?

Thank you very very much.

4249
Views
5
Helpful
5
Replies
CreatePlease login to create content