Re: asa 5505 basic license - Page 2

godinerik · ‎10-28-2010

Can anyone explain to me in what exactly the 10host limit of a basic license means? Does the limit apply on the number of hosts allowed to be assigned an internal IP, or is the limit applied on the NAT connections to the outside world?

TIA,

Erik

Federico Coto Fajardo · ‎11-02-2010

>>> Hello Federico,

>>> Lets say that you have a host on the inside, and he is a massive server that has N connections to the outside, how would the firewall now if that is a PAT device or just a Server?

>>> On the local host count it will do as 1 only.

>>> Cheers.

>>> Mike

Mike,

If I have 10 PCs behind the ASA, the ASA won't care how many connections each PC makes correct?

You can have a server doing many connections and regular PCs just browsing for example.

The ASA will still put the limit to 10 PCs to go through (regardless the amount of connections each one has).

If you have a PAT device in between, the ASA will only see connections.

The ASA will see a single XLATE and many connections all coming from the PAT IP.

How is the 10-user limit related to the PAT example then?

Federico.

Federico Coto Fajardo · ‎11-02-2010

I guess the answer is that technically there can be 10 devices doing PAT behind the ASA 5505 with Base License and behind each PAT device you can have many computers and the ASA will only count each PAT device as a single host.

So, the 10-user license is not really 10-user is 10 IP addresses behind the ASA (which could very well be a lot more of 10 devices).

Federico.

Maykol Rojas · ‎11-02-2010

Exactly Federico.

You are totally right. 10 PAT devices will complete the 10 inside host license, no matter how many host you have behind those.

Cheers.

Mike.

Mike

godinerik · ‎11-02-2010

So in other words, there can only be 10 xlates?

Erik Godin

Sent from my wireless device

Maykol Rojas · ‎11-02-2010

Saying xlates is incorrect, You can have 10 local-hosts build up on the inside network, they can have as much translations as they want. You can check how many host are currently on by doing sh resource usage and the command sh local-host | inc local host:

Cheers

Mike

Federico Coto Fajardo · ‎11-03-2010

Maykol,

Thank you for your response and I agree that the correct term to use is local-hosts instead of xlates.

But isn't it true that with a 10-user license there's no possibility of having more than 10 xlates at any given moment?

I mean.. the correct term is local-host but it's true that there can never be more than 10 xlates correct?

Federico.

Maykol Rojas · ‎11-03-2010

Hello Federico,

Not really, You can have policy NAT say for going to google or something like that and then, the rest of the traffic going to the internet will translate to a PAT or something, that way you will be able to see 2 xlates for that host (And if you are doing PAT it will not be just 1 xlate that is being built per connection)

Cheers

Mike