Hi, I have read several posts, but i can't find one that helps with my doubts I know if a have a 5505 with a 10 user license y will limit to 10 the IPs that pass from inside to outside, but from inside to dmz? Also this are users not connections? Is that right. The last doubt is if i have a sitetosite vpn to an asa 5520, will the 10 user limit applies to the vpn?. Hope sonebody can help me with thie Regards
In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit when they communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the outside initiates a connection to the inside, outside hosts are not counted towards the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit.
See the show local-host command to view host limits.
So basically only the number of hosts behind the interfaces which DONT have the default route are counted towards your user limit no matter how many different destination IP addresses you are connecting to.
So in the case of your L2L VPN, the remote site and the amount of hosts it has doesnt really matter. As long as the combined amount of hosts behind your ASAs local interfaces dont go over the user limit of the license, you should be fine.
As the quote says, you can check the "show local-host" command output what your limit is and how many hosts are currently counted towards that limit. The output is at the very start.
If you have "inside" and "dmz" interface then the only thing you really have to look out for is that the amount of hosts behind those interfaces dont go over 10. Then you will see that some single host wont be able to form connections through the firewall.
The "show local-host" command (as said before) should show how close to that limit you are.
Please remember to mark a reply as the correct reply if it answered your question.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...