Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX user license question

Hi everyone,

I have a quick question, i have two pix 501, both has a 10 user license, i'm going to create a LAN to LAN tunnel between them. Just want to make sure, how the pix going to count how many user conneting, by session? source IP or by MAC address? Also, for VPN tunnel, does the user license affect how many user going through the same tunnel?

Look forward for any reply, thanks


New Member

Re: PIX user license question


The L2L tunnel will count as 1 vpn session out of your 4 allowed. License wont affect number of users going through there as that will only be seen as one session.


New Member

Re: PIX user license question

Thanks Kurits,

How about regular internet connection, what does the PIX count for the license, by user(MAC address/Source address), or simply by sessions?

If by session, what if a user open up 10 connection from his PC, that mean no other people can connect through the PIX?

sorry for so many quesiton, but i reallly want to find out! since i'm thinking about to purchase the 50 user license or not!

thanks in advance

New Member

Re: PIX user license question

The pix 501 supports up to 10 active host on the inside network. A host is considered active when any of the following statements are true:

1. The host has pass traffic through the pix firewall in the last 30 seconds

2. The host has an established nat/pat translation through the pix

3. The host has an established tcp or udp connection

4. The host has an established user auth through the pix.

So one user will not tie up all your 10 sessions, sounds like its gonna be based on source address, dont quote me on that. But either way, you wont have any problems as long as you have 10 or less host on the inside of your pix.

Kurtis Durrett

New Member

Re: PIX user license question

Thanks Kurtis!

New Member

Re: PIX user license question

I have an interesting problem, if you will, with the licensing. My (small-to-medium) company recently purchased two PIX 500 series Firewalls. They act as endpoints for our VPN as well as the usual purposes. The PIX in question (the other is a 515 with no license limitations on hosts) is a PIX 501 3DES 50- User. Our setup is somewhat unique (I'm a pretty much a novice) where we are not using NAT. Meaning, of course, our PIX sees interesting traffic as fully qualified ip addresses and sends the packets though the VPN. We have an access-list tied to the VPN with a /26 address range. The netmask for the inside interface is also /26 (62 hosts) because /27 is just under what we require for our office network. However, when we are port scanned, the license always max-es out even though the access-list blocking port scans is on the outside interface and most of the hosts are non-existant. Can anyone shed some light on this matter for me?