If you have an ASA with 10 host licenses, and that ASA is a spoke in a lan-to-lan VPN, how do hosts that are talking across the VPN count? I know that NAT hosts that want to go to the internet count as a host, and the 11th host will get denied , but not in a very clear way (the connection just kind of hangs as if it can’t find it or that website is down). If a PC on the inside connects to a resource on the other side of the VPN, does that count as a host license as well, or is that different?
I have a 10 user ASA 5505 that has 16 devices behind at (as shown by DHCPD bindings), 7 of which are IP phones that MOST OF THE TIME only talk to the local voice server. However they sometimes get denied talking across the VPN to other devices, and clearing the VPN and re-establishing the VPN (clear cry isa sa) will usually fix this.
Based on the license specs I understand that any host destined to talk to the internet VLAN which is your outside interface where VPN tunnel terminates, host limitation counts in the 10 user base license. You can issue on the firewall show local-host that will show per host tcp/udp connection counts . You may also use show conn
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...