I have a quick question, i have two pix 501, both has a 10 user license, i'm going to create a LAN to LAN tunnel between them. Just want to make sure, how the pix going to count how many user conneting, by session? source IP or by MAC address? Also, for VPN tunnel, does the user license affect how many user going through the same tunnel?
The pix 501 supports up to 10 active host on the inside network. A host is considered active when any of the following statements are true:
1. The host has pass traffic through the pix firewall in the last 30 seconds
2. The host has an established nat/pat translation through the pix
3. The host has an established tcp or udp connection
4. The host has an established user auth through the pix.
So one user will not tie up all your 10 sessions, sounds like its gonna be based on source address, dont quote me on that. But either way, you wont have any problems as long as you have 10 or less host on the inside of your pix.
I have an interesting problem, if you will, with the licensing. My (small-to-medium) company recently purchased two PIX 500 series Firewalls. They act as endpoints for our VPN as well as the usual purposes. The PIX in question (the other is a 515 with no license limitations on hosts) is a PIX 501 3DES 50- User. Our setup is somewhat unique (I'm a pretty much a novice) where we are not using NAT. Meaning, of course, our PIX sees interesting traffic as fully qualified ip addresses and sends the packets though the VPN. We have an access-list tied to the VPN with a /26 address range. The netmask for the inside interface is also /26 (62 hosts) because /27 is just under what we require for our office network. However, when we are port scanned, the license always max-es out even though the access-list blocking port scans is on the outside interface and most of the hosts are non-existant. Can anyone shed some light on this matter for me?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...