Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
418
Views
0
Helpful
3
Replies

PIX 501 License Pack Help

ComputerErik
Level 1
Level 1

‎06-11-2006 12:50 PM - edited ‎02-21-2020 12:57 AM

I am planning on reworking my home network to include a PIX 501 as the firewall device. My reasons are basically to get some firsthand experience, and of course better protect my network. The only part that I am not really certain about is which license package I would need. I would prefer to be able to use the 10 connection 3DES/AES pack.

My network will have maybe a total of 20 PCs behind the router, all will be on the inside network. Three of them are Windows 2003 Servers running AD (two seperate VLANs), and DNS. These basically should only be going through the PIX for WIndows updates at most once a day, and possible DNS resolutions. One will is a media center PC, which only connects infrequently to update the TV guide listings. Three more will be regularly used workstations. That is up to seven total PCs. Numbers eight and nine will be my backup desktop and my laptop. Most of the time I would only be actively using one PC, and the other two workstations will see random use by the family. So far so good, as far as I can see most of the time I won't even have half of my available connections tide up.

The rest of the computers are going to be diskless cluster PCs that I am using in a distributed computing project. They will need to connect to the internet for at most 5 minutes per PC per day. Truth is that it will really be more like once a week per PC for a few minutes, and also likely never at the same time. They will connect as they finish one project to upload the results, and download the next set of work. This is where I see a possible problem.

Now what I am hoping is that since most of the connections should be open most of the time I should be fine with 10 concurrent connections. Then even in the off chance I am using up all 9 of my main PCs at the same time, and multiple cluster PCs want to send at the same time they will just be denied access. If they can't reach the internet server they will wait 15 minutes and try again. After that time I am guessing that the previous connection will have expired, and the next one will be able to connect.

Very basically what I am looking to find out is if many PCs will be able to share one connection. One will make a connection, transmit something, and disconnect. While doing this another PC will try, but fail, and wait until trying again. While waiting the xlate perios expires, and that one connection is freed up. Then the PC tries to connect again and is permitted.

Would this work? Or would I need to get a 50 license pack to prevent any problems? It isn't really an issue to have the cluster PCs waiting, I just want the main PCs to be able to connect as needed. Basically I think they should be doing enough internet activity to keep those connection permanently opne (more or less anyway).

Thanks.

0 Helpful
3 Replies 3

dentt
Level 1
Level 1

‎06-12-2006 05:33 AM

I would try to crank down the xlate timeout to something very low and test that before you go out and buy a license pack you may or may not need.

try entering:

timeout xlate 00:01:00 (1 minute, which is the minimum)

See how that interacts, and adjust from there.

Let me know how that works, and rate if it does.

TD

0 Helpful

ComputerErik
Level 1
Level 1
In response to dentt

‎06-12-2006 10:30 AM

I don't actually have the device yet. I wanted to buy one with the appropriate amount of licenses so I could be up and running basically immediatly.

That helped though. So if I turn the xlate timeout way down it should basically just forget any connection that isn't actively sending/reveiving data, thus opening up another possible connection?

As long as it would actually work like that I would be fine with 10 licenses. I was just worried that it might still be looking for that same IP to make the connection again, even after an xlate timeout. I am guessing that a 30minute to 1 hour xlate would be good for me.

0 Helpful

hugginsgreg
Level 1
Level 1
In response to ComputerErik

‎06-13-2006 04:55 PM

I have a PIX 501 with a 50 user license. I am running FAH and have 4 home computers that are for the family use and are always in use.

In addition to these I have 12 computers dedicated to FAH at home 3 which have dual cores running 24/7/365. I have never seen my user license usage higher than 6 when I check via the PIX Device Manager. As you stated the FAH machines only go out when they need to download a new work unit and upload the completed one which is about a minute or two.

Hope this helps.

GregH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card