Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 501 Inside Hosts limitation

I try to understand how exactly this limit is working.

this is the spec: "The Cisco PIX 501 10-user license supports up to  10 concurrent source IP addresses from your internal network to traverse  through the Cisco PIX 501"

if I have more than 10 internal hosts, how does it work, how does it count a host and for how long would it keep it when idle?

also, I wonder if the internal IP address on PIX count as one of the 10 addresses

thanks!

http://ITDualism.wordpress.com

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: PIX 501 Inside Hosts limitation

Hi,

A local-host connection on the PIX is a combination of an XLATE (translation) and a CONN (connection).

The PIX-501 with 10-user limit, will allow 10 local-hosts from the inside to the outside.

You can check this with the command:  sh local-host

If the inside IP of the PIX, gets translated to the outside and create a local-host, then it will count as 1 user.

If you attempt to pass an 11-user it will not be able to pass through the PIX.

How long will the PIX keeps up the table?

Depends on the timeouts for the XLATE and CONN

Check: sh time

Federico.

10 REPLIES

Re: PIX 501 Inside Hosts limitation

Hi,

A local-host connection on the PIX is a combination of an XLATE (translation) and a CONN (connection).

The PIX-501 with 10-user limit, will allow 10 local-hosts from the inside to the outside.

You can check this with the command:  sh local-host

If the inside IP of the PIX, gets translated to the outside and create a local-host, then it will count as 1 user.

If you attempt to pass an 11-user it will not be able to pass through the PIX.

How long will the PIX keeps up the table?

Depends on the timeouts for the XLATE and CONN

Check: sh time

Federico.

New Member

Re: PIX 501 Inside Hosts limitation

is there a way to see the denied connection?

I see this:

Interface inside: 10 active, 11 maximum active, 154 denied

who are those 154 denied connection? I have 10 PCs+2 servers behind this PIX...

http://ITDualism.wordpress.com

New Member

Re: PIX 501 Inside Hosts limitation

thanks!

Re: PIX 501 Inside Hosts limitation

If you can pass traffic through the PIX from a random machine is because there's a local-host created for that machine.

You should see the IP of the machine with the ''sh local-host''

Only the computers that have a local-host entry in the PIX will be allowed to pass traffic.

Do you have traffic from IPs that are not in the local-host table passing through the PIX?

Federico.

Re: PIX 501 Inside Hosts limitation

The 10 active are 10 active XLATEs (translations).

But each translation can have multiple connections.

For example,

If one host opens a web brower to google.com, then it will create 1 XLATE and 1 CONN

If the same host opens a different page, it will still use the same XLATE but will create another CONN

If the same host do anything else, it will create more and more conns (with the same XLATE as long as it does not disconnects or timeout)

So, you will have basically 10 XLATEs, but multiple connections are possible.

XLATEs are Layer 3

CONNs are Layer 4

You can check the connections in detail with ''sh conn detail''

Federico.

New Member

Re: PIX 501 Inside Hosts limitation

federico,

I understand the 10 active part but my question refered to the '154 denied' that show on the output

http://ITDualism.wordpress.com

Re: PIX 501 Inside Hosts limitation

The denied conns are most likely that you got up the limit (in most cases you will get a message indicating that you reached the limit allowed).

To see the details about the connections use:

sh conn detail all

Also, do you have any ACL applied to the inside interface?

To see which connections are being denied, you should be able to see them in the logs.

The logs will show which connections (Layer 4) are being denied by the Firewall and the reason.

Federico.

New Member

Re: PIX 501 Inside Hosts limitation

no ACL

now this is where I get lost - it says 11 max and 10 active so I'm under the max - how can it deny anything?

maybe one ip address over the limit try few times and each attempt count as denied so 154 would be the same machine retrying

Re: PIX 501 Inside Hosts limitation

Possible.

To be sure we can check the logs to see if the denied connections are from a valid IP (already passing through the PIX) or from an IP that does not have an XLATE built.

Federico.

New Member

Re: PIX 501 Inside Hosts limitation

Federico,

one additional question that came up,

if I reach the limit and one of the random machines cannot browse the internet or over the PIX subnets, why ping to\from the machine is working (to\from another subnet)?

http://ITDualism.wordpress.com

7004
Views
0
Helpful
10
Replies
CreatePlease to create content