https://community.cisco.com/t5/network-security/question-about-asa5505/m-p/2262370#M346078 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you have <STRONG>"inside"</STRONG> and <STRONG>"dmz"</STRONG> interface then the only thing you really have to look out for is that the amount of hosts behind those interfaces dont go over 10. Then you will see that some single host wont be able to form connections through the firewall.</P><P></P><P>The <STRONG>"show local-host"</STRONG> command (as said before) should show how close to that limit you are.</P><P></P><P>Please remember to mark a reply as the correct reply if it answered your question.</P><P></P><P>- Jouni</P></BODY></HTML> Sat, 20 Jul 2013 16:42:04 GMT Jouni Forss 2013-07-20T16:42:04Z https://community.cisco.com/t5/network-security/question-about-asa5505/m-p/2262367#M346075 <P>Hi,<BR />I have read several posts, but i can't find one that helps with my doubts<BR />I know if a have a 5505 with a 10 user license y will limit to 10 the IPs that pass from inside to outside, but from inside to dmz? Also this are users not connections? Is that right.<BR />The last doubt is if i have a sitetosite vpn to an asa 5520, will the 10 user limit applies to the vpn?.<BR />Hope sonebody can help me with thie<BR />Regards<BR /><BR />Juan Pablo Hidalgo<BR /><BR />Sent from Cisco Technical Support iPhone App</P> Tue, 12 Mar 2019 02:14:55 GMT https://community.cisco.com/t5/network-security/question-about-asa5505/m-p/2262367#M346075 rbarreir 2019-03-12T02:14:55Z https://community.cisco.com/t5/network-security/question-about-asa5505/m-p/2262368#M346076 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Here is a quote from a Cisco document</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>In routed mode, hosts on the inside (Business and&nbsp; Home VLANs) count towards the limit when they communicate with the&nbsp; outside (Internet VLAN), including when the inside initiates a&nbsp; connection to the outside as well as when the outside initiates a&nbsp; connection to the inside. Note that even when the outside initiates a&nbsp; connection to the inside, outside hosts are <EM>not</EM> counted towards the limit; only the inside hosts count. Hosts that&nbsp; initiate traffic between Business and Home are also not counted towards&nbsp; the limit. The interface associated with the default route is considered&nbsp; to be the outside Internet interface. If there is no default route,&nbsp; hosts on all interfaces are counted toward the limit. In transparent&nbsp; mode, the interface with the lowest number of hosts is counted towards&nbsp; the host limit.</P><P></P><P>See the <STRONG>show local-host</STRONG> command to view host limits. </P></PRE><P></P><P>Source:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.html#wp1150495">http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.html#wp1150495</A></P><P></P><P>So basically only the number of hosts behind the interfaces which DONT have the default route are counted towards your user limit no matter how many different destination IP addresses you are connecting to.</P><P></P><P>So in the case of your L2L VPN, the remote site and the amount of hosts it has doesnt really matter. As long as the combined amount of hosts behind your ASAs local interfaces dont go over the user limit of the license, you should be fine.</P><P></P><P>As the quote says, you can check the <STRONG>"show local-host" </STRONG>command output what your limit is and how many hosts are currently counted towards that limit. The output is at the very start.</P><P></P><P>- Jouni</P></BODY></HTML> Sat, 20 Jul 2013 14:28:41 GMT https://community.cisco.com/t5/network-security/question-about-asa5505/m-p/2262368#M346076 Jouni Forss 2013-07-20T14:28:41Z https://community.cisco.com/t5/network-security/question-about-asa5505/m-p/2262369#M346077 <HTML><HEAD></HEAD><BODY><P>Hi, thanks forbyour reply,<BR />So that means if the vpn users from rhe asa 5505 are 11 the last one won't be able to connect to the vpn peers, so the user limit user is important for this matter<BR />Regards<BR /><BR />Juan Pablo<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Sat, 20 Jul 2013 15:10:11 GMT https://community.cisco.com/t5/network-security/question-about-asa5505/m-p/2262369#M346077 rbarreir 2013-07-20T15:10:11Z https://community.cisco.com/t5/network-security/question-about-asa5505/m-p/2262370#M346078 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you have <STRONG>"inside"</STRONG> and <STRONG>"dmz"</STRONG> interface then the only thing you really have to look out for is that the amount of hosts behind those interfaces dont go over 10. Then you will see that some single host wont be able to form connections through the firewall.</P><P></P><P>The <STRONG>"show local-host"</STRONG> command (as said before) should show how close to that limit you are.</P><P></P><P>Please remember to mark a reply as the correct reply if it answered your question.</P><P></P><P>- Jouni</P></BODY></HTML> Sat, 20 Jul 2013 16:42:04 GMT https://community.cisco.com/t5/network-security/question-about-asa5505/m-p/2262370#M346078 Jouni Forss 2013-07-20T16:42:04Z