Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

question about asa5505

Hi,
I have read several posts, but i can't find one that helps with my doubts
I know if a have a 5505 with a 10 user license y will limit to 10 the IPs that pass from inside to outside, but from inside to dmz? Also this are users not connections? Is that right.
The last doubt is if i have a sitetosite vpn to an asa 5520, will the 10 user limit applies to the vpn?.
Hope sonebody can help me with thie
Regards

Juan Pablo Hidalgo

Sent from Cisco Technical Support iPhone App

3 REPLIES
Super Bronze

Re: question about asa5505

Hi,

Here is a quote from a Cisco document

In routed mode, hosts on the inside (Business and  Home VLANs) count towards the limit when they communicate with the  outside (Internet VLAN), including when the inside initiates a  connection to the outside as well as when the outside initiates a  connection to the inside. Note that even when the outside initiates a  connection to the inside, outside hosts are not counted towards the limit; only the inside hosts count. Hosts that  initiate traffic between Business and Home are also not counted towards  the limit. The interface associated with the default route is considered  to be the outside Internet interface. If there is no default route,  hosts on all interfaces are counted toward the limit. In transparent  mode, the interface with the lowest number of hosts is counted towards  the host limit.

See the show local-host command to view host limits.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.html#wp1150495

So basically only the number of hosts behind the interfaces which DONT have the default route are counted towards your user limit no matter how many different destination IP addresses you are connecting to.

So in the case of your L2L VPN, the remote site and the amount of hosts it has doesnt really matter. As long as the combined amount of hosts behind your ASAs local interfaces dont go over the user limit of the license, you should be fine.

As the quote says, you can check the "show local-host" command output what your limit is and how many hosts are currently counted towards that limit. The output is at the very start.

- Jouni

New Member

Re: question about asa5505

Hi, thanks forbyour reply,
So that means if the vpn users from rhe asa 5505 are 11 the last one won't be able to connect to the vpn peers, so the user limit user is important for this matter
Regards

Juan Pablo

Sent from Cisco Technical Support iPhone App

Super Bronze

question about asa5505

Hi,

If you have "inside" and "dmz" interface then the only thing you really have to look out for is that the amount of hosts behind those interfaces dont go over 10. Then you will see that some single host wont be able to form connections through the firewall.

The "show local-host" command (as said before) should show how close to that limit you are.

Please remember to mark a reply as the correct reply if it answered your question.

- Jouni

111
Views
0
Helpful
3
Replies