• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

ASA licensing?

H

hiromizu

Diamond Member
I don't normally ask stupid questions like this but when the vendor cannot answer the question, I need peer help : )

I'm looking to buy an ASA5505 base bundle "CISCO ASA5505-BUN-K9" and I'm hearing two conflicting things about the # of users in the description. Cisco tells me the 10 user limit is for the number of simultaneous VPN clients accessing the device while there are people that say it's that and the hard limit for LAN users accessing the internet which is a common thing with Sonicwalls that usually requires additional user licenses.

Does anyone have a clear answer?

I just want to make sure that the 15+ servers behind the security device can access the internet when necessary while having 3 site to site VPNs going. Simple thing to do really..

http://www.newegg.com/Product/Produc...82E16833120135
 
The ASA5505-BUN-K9 is has a 10 inside host limitation.

You can buy the ASA5505-50-BUN-K9 for a 50 inside host limitation, or a ASA5505-UL-BUN-K9 for unlimited inside hosts.

The 10 VPN tunnel (remote access or site-to-site) limitation is a limitation on all non-Security Plus ASA5505s, whether they are 10, 50 or unlimited inside hosts.

Here's a good look at the feature sets: http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range
 
Last edited:
seepy83 said:
Does it also apply to a host trying to get from one interface to another that isn't the internet (i.e. from LAN to DMZ)?
Click to expand...

As I understand it, it counts the number of NATs required. Because LAN to DMZ is technically handled by a NAT on an ASA and not routed, it would likely count against the total number of hosts.

It's the number of required translations that's key.

This also means that hosts which cross VPNs, but not the internet directly, also count toward the inside hosts limit.
 
hiromizu said:
extraordinary. thanks for the clarification. no where does cisco mentions this level of detail. thanks.
Click to expand...
of course they do, you just have to know where to look. cisco != easy

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/license.html#wp1129465

In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view the host limits.
Click to expand...
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top