Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 501 issue

I have a Pix 501 with 10 user licence at a remote office, The remote network has 8 PC.s connecting to my corporate office. I put this 501 in remote network. We have PAT & Ipsec tunneling at remote office, But the PIX is hanging and not allowing more than 3 tunnels. IS it a licence issue.

10 user licence means 10 PC can have multiple sessions like PAT, TElnet,tunnel etc or it means I can have only 10 sessions thro the Pix. Cisco documentation is not clear.

Please provide your valuable suggestion. What license should I go for.REmote office access outside internet/ MAil server and ipsec tunnel to our AS400 server.

THankx a lot

Cisco Employee

Re: PIX 501 issue

User licence is different to ISAKMP Peer licence numbers. Do a "sho ver" on your PIX and check the values as indicated below:


Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES: Enabled

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

Websense: Enabled

Inside Hosts: 10

Throughput: Limited

ISAKMP peers: 5


If you only have 3 ISAKMP Peers then you'll only be able to build 3 tunnels to 3 different hosts (that includes LAN-to-LAN and client tunnels).

As for what constitutes an "inside host", it is:

- has sent or received traffic through the PIX in the last xlate timeout seconds (five minutes with the 501 default config).

- has a UDP or TCP connection

- has a NAT session

- has a user authentication session

So basically a PC sending traffic through the PIX is an "inside host". That one PC can have any number of connections and translations, that number doesn't matter.