I am planning on reworking my home network to include a PIX 501 as the firewall device. My reasons are basically to get some firsthand experience, and of course better protect my network. The only part that I am not really certain about is which license package I would need. I would prefer to be able to use the 10 connection 3DES/AES pack.
My network will have maybe a total of 20 PCs behind the router, all will be on the inside network. Three of them are Windows 2003 Servers running AD (two seperate VLANs), and DNS. These basically should only be going through the PIX for WIndows updates at most once a day, and possible DNS resolutions. One will is a media center PC, which only connects infrequently to update the TV guide listings. Three more will be regularly used workstations. That is up to seven total PCs. Numbers eight and nine will be my backup desktop and my laptop. Most of the time I would only be actively using one PC, and the other two workstations will see random use by the family. So far so good, as far as I can see most of the time I won't even have half of my available connections tide up.
The rest of the computers are going to be diskless cluster PCs that I am using in a distributed computing project. They will need to connect to the internet for at most 5 minutes per PC per day. Truth is that it will really be more like once a week per PC for a few minutes, and also likely never at the same time. They will connect as they finish one project to upload the results, and download the next set of work. This is where I see a possible problem.
Now what I am hoping is that since most of the connections should be open most of the time I should be fine with 10 concurrent connections. Then even in the off chance I am using up all 9 of my main PCs at the same time, and multiple cluster PCs want to send at the same time they will just be denied access. If they can't reach the internet server they will wait 15 minutes and try again. After that time I am guessing that the previous connection will have expired, and the next one will be able to connect.
Very basically what I am looking to find out is if many PCs will be able to share one connection. One will make a connection, transmit something, and disconnect. While doing this another PC will try, but fail, and wait until trying again. While waiting the xlate perios expires, and that one connection is freed up. Then the PC tries to connect again and is permitted.
Would this work? Or would I need to get a 50 license pack to prevent any problems? It isn't really an issue to have the cluster PCs waiting, I just want the main PCs to be able to connect as needed. Basically I think they should be doing enough internet activity to keep those connection permanently opne (more or less anyway).
I don't actually have the device yet. I wanted to buy one with the appropriate amount of licenses so I could be up and running basically immediatly.
That helped though. So if I turn the xlate timeout way down it should basically just forget any connection that isn't actively sending/reveiving data, thus opening up another possible connection?
As long as it would actually work like that I would be fine with 10 licenses. I was just worried that it might still be looking for that same IP to make the connection again, even after an xlate timeout. I am guessing that a 30minute to 1 hour xlate would be good for me.
I have a PIX 501 with a 50 user license. I am running FAH and have 4 home computers that are for the family use and are always in use.
In addition to these I have 12 computers dedicated to FAH at home 3 which have dual cores running 24/7/365. I have never seen my user license usage higher than 6 when I check via the PIX Device Manager. As you stated the FAH machines only go out when they need to download a new work unit and upload the completed one which is about a minute or two.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :