topic ASA5505 Inside Hosts limit in Network Security

ASA5505 Inside Hosts limit

Patrick McHenry — Mon, 11 Mar 2019 22:32:01 GMT

Hi,

The ASA5505 I am working with has this from the show version:

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 10
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
VPN Peers                   : 10
WebVPN Peers                : 2
Dual ISPs                   : Disabled
VLAN Trunk Ports            : 0

This platform has a Base license.

Does the Insides Hosts :10 line mean that only 10 devices can be connected to the firewall at one time? I would like to connect an AP to one of the PoE ports and have possibly more than 10 connected. Is this possible with this ASA5505?

Thanks, Pat.

ASA5505 Inside Hosts limit

Dan-Ciprian Cicioiu — Sun, 19 Feb 2012 13:22:15 GMT

Hi Patrick,

"In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit when they communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the outside initiates a connection to the inside, outside hosts are

not

counted towards the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the

show local-host

command to view host limits."

So to answer your question, you're ok if you will connect an AP, the limit is refering to the hosts that need access from inside to outside.

Dan

ASA5505 Inside Hosts limit

Patrick McHenry — Sun, 19 Feb 2012 14:54:17 GMT

I would like users - possibly more than 10 at a time to be able to connect to the Internet. I was going to connect the 5505 to a Comcast Business Internet circuit and hang a couple of 1260 APs from the PoE interfaces. Now I am wondering if this is possible.

One line in your post is confusing me:

"Hosts that initiate traffic between Business and Home are also not counted towards the limit."

Did you mean to say:

Hosts that initiate traffic between Business and Home are also counted towards the limit. ?

Thanks, Pat.

ASA5505 Inside Hosts limit

Dan-Ciprian Cicioiu — Sun, 19 Feb 2012 17:13:23 GMT

Hi Patrick ,

The text as it is, if taken from ASA Command Line Configuration :

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.html#wp1012343

My undestanding is that only traffic from any inside hosts that generate traffic to outside counts.

Dan

ASA5505 Inside Hosts limit

Julio Carvajal — Sun, 19 Feb 2012 21:58:04 GMT

Hello Patrick,

More than 10 users going to the internet trough the firewall.

Nop, that is not posible.

You can do a show local-host and you will see a report of the local users connection and please notice the first line saying that you reach the maximum number of host due to the license restriction.

So in this case you will need to get the proper license to do it ( 50 user license or UL (unlimit license)

Do rate helpful posts

Julio

ASA5505 Inside Hosts limit

Patrick McHenry — Sun, 19 Feb 2012 22:02:37 GMT

Julio,

Do you know approximately how much a 50 user license would be?

Thanks, Pat

ASA5505 Inside Hosts limit

Julio Carvajal — Sun, 19 Feb 2012 22:10:55 GMT

Hello Patrick,

Not at all, I work for the security team so I do not handle prices

But here are both licenses, so you can call your re-seller and ask him about it.

ASA5505-50-BUN-K9 = 50 user bundle

ASA5505-UL-BUN-K9 = Unlimit users

Regards,

Do rate helpful posts

Julio

ASA5505 Inside Hosts limit

Patrick McHenry — Sun, 19 Feb 2012 22:20:47 GMT

Julio one more question,

The 3 VLAN limit is slightly confusing. I know the outside interface will be VLAN 1 and the inside interface will be VLAN 2, but will I be able to create a 3rd VLAN. I would like to use this Internet circuit for our own IT staff and Vendors that might work in different locations in the building and keep them seperate via an access-list. I will be able to move the APs where ever I want via a non-routed VLAN and we were doing this with a Linksys router and some other routers acting as APs but, it wasn't reliable thus the reason we are trying to use a little higher grade equipment without breaking the bank. We had this 5505 lying around.

ASA5505 Inside Hosts limit

Amit Rai — Tue, 21 Feb 2012 13:48:46 GMT

Hi Patrick,

you can create 3 vlans like inside, outside and dmz however as you have dmz restricted license you would not be able to initiate the communication between all of them. f

For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside work network, and a third VLAN assigned to your home network. The home network does not need to access the work network, so you can use the no forward interface command on the home VLAN; the work network can access the home network, but the home network cannot access the work network.

If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no forward interface command before the nameif command on the third interface; the security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance.

ASA5505 Inside Hosts limit

Patrick McHenry — Wed, 22 Feb 2012 12:39:45 GMT

Amit,

Thanks for the response.

Are you saying that if I create this third interface and do as you say, will I be able to communicate betwwen the third VLAN and the outside VLAN? Because if I can't, then there would be no reason for this as I want both the inside VLAN and the third VLAN to got to the Internet. Also,if they can, will I be able to have more than 10 users going to the Internet at once?

Thanks, Pat.