cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


611
Views
0
Helpful
2
Replies

asa 5505 limitations

Hello everyone,

I have a question about the limitations with an ASA5505.

I am starting a new network and happened to have a 5505 on the shelf. So, I figured I would get started with it. The ASA that I am currently planning to bring is a ASA5505-BUN-K9. This is the 10-user bundle. I thought that this would cover my immediate needs, however, some other things cropped up that is making me think that it may not. I'd break it out and just try these things out myself, but it is on a truck and the next time when I have it in my hands will be while I am trying to make it work. So, I have the following questions:

  1. Should this support DMZ? I know it has 8 ports. So, I could make one for the outside, one for the dmz, and the other 6 for the inside. Should the 10-user license support that, or do I need to go to security plus? 

  2. I believe there is a 10 user limit on this. How is this enforced? Does this mean that it will only route traffic for 10 hosts? I don’t believe that I will have 10 users actually accessing the internet, but I may have more than 10 devices. Some of those devices would have traffic going through a site-to-site VPN. Perhaps it controls it through NAT, in which case the devices (since they would be nat excempt) would not count?

 

Thanks,
Ben

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi,As per your 1st query ,

Hi,

As per your 1st query , the DMZ is restricted vlan for this license. This means you would be able to configure the DMZ vlan but it will either be able to talk with the Inside or the outside interface simultaneously.

As per the 2nd query , i think this doc explain the process on how it is implemented:-

n routed mode, hosts on the inside (Business and Home VLANs) count towards the limit when they communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the outside initiates a connection to the inside, outside hosts are not counted towards the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits.

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/specs.html

Thanks and Regards,

Vibhor Amrodia

2 REPLIES 2
Cisco Employee

Hi,As per your 1st query ,

Hi,

As per your 1st query , the DMZ is restricted vlan for this license. This means you would be able to configure the DMZ vlan but it will either be able to talk with the Inside or the outside interface simultaneously.

As per the 2nd query , i think this doc explain the process on how it is implemented:-

n routed mode, hosts on the inside (Business and Home VLANs) count towards the limit when they communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the outside initiates a connection to the inside, outside hosts are not counted towards the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits.

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/specs.html

Thanks and Regards,

Vibhor Amrodia

Mentor

Hi, Although Vibhor already

Hi,

 

Although Vibhor already gave you the essential information related to the Base License ASA5505 you should also notice that you can avoid some of the restricted DMZ limitations depending how you set up your network.

 

The Restricted DMZ is configured with a command "no forward interface Vlanx" (if I dont remember wrong). This is the requirement if you are going to enable a third Vlan interface on a Base License ASA.

 

Now if you had a situation where it was essential that both your DMZ and LAN networks should be able to connect towards eachother (a setup that the default DMZ setup would not allowed) then you could consider configuring the "no forward interface Vlanx" command on the "outside" interface and towards your "inside" interfaces Vlan for examle. This would enable you to allow connection from "outside" to "dmz", "dmz" to "inside" and "inside" to "dmz".

 

One thing to consider with such a setup might be that if you had to make a change to this setup at some point then that might become a bit harder. To my understanding you can not simply configure the "no forward interface Vlanx" command to another interface (to replace the one located in another interface) but you would actually have to remove the interface with the command and then configure the interface with the command you want to move the restriction to. As you might imagine doing this with the "outside" interface might prove to be a bit tricky. You would have to be doing this change locally as you would have to remove the "outside" interface for a moment.

 

Typically the default DMZ setup is enough though but have run into some situations where this has been required to avoid License upgrade.

 

Hope this helps :)

 

- Jouni