Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
689
Views
0
Helpful
4
Replies

ASA 10 User License?

Go to solution
Ed Willson
Level 1
Level 1

‎01-14-2014 07:31 PM - edited ‎03-11-2019 08:30 PM

I'm planning on getting an ASA 5505 for the new place I'm buying. We're just a normal family, but well connected, 4-5 computers/misc that are connected via ethernet and 10 or so connected via wifi.

The wifi is on another network, so traffic is getting natted by the AP. Would traffic coming out of the AP headed for the internet count as 1 user, or is the ASA smart enough to stop me at ten real devices?

Thanks,

    Ed

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-15-2014 03:44 AM

Hi,

If you are doing Dynamic PAT to the Wireless clients before they reach the ASA then I would have to say that it only counts as 1 User.

I don't know how the ASA could determine that they are different hosts when all traffic is coming from same source IP/MAC address.

Here is a brief explanation from a Cisco document about how the host limit is counted though it doesnt address your actual question on how closely the ASA checks for the hosts.

In routed mode, hosts on the inside (Business and  Home VLANs) count towards the limit when they communicate with the  outside (Internet VLAN), including when the inside initiates a  connection to the outside as well as when the outside initiates a  connection to the inside. Note that even when the outside initiates a  connection to the inside, outside hosts are not counted towards the limit; only the inside hosts count. Hosts that  initiate traffic between Business and Home are also not counted towards  the limit. The interface associated with the default route is considered  to be the outside Internet interface. If there is no default route,  hosts on all interfaces are counted toward the limit. In transparent  mode, the interface with the lowest number of hosts is counted towards  the host limit. See the show local-host command to view host limits.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa82/license/license82.html#wp204305

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-15-2014 03:44 AM

Hi,

If you are doing Dynamic PAT to the Wireless clients before they reach the ASA then I would have to say that it only counts as 1 User.

I don't know how the ASA could determine that they are different hosts when all traffic is coming from same source IP/MAC address.

Here is a brief explanation from a Cisco document about how the host limit is counted though it doesnt address your actual question on how closely the ASA checks for the hosts.

In routed mode, hosts on the inside (Business and  Home VLANs) count towards the limit when they communicate with the  outside (Internet VLAN), including when the inside initiates a  connection to the outside as well as when the outside initiates a  connection to the inside. Note that even when the outside initiates a  connection to the inside, outside hosts are not counted towards the limit; only the inside hosts count. Hosts that  initiate traffic between Business and Home are also not counted towards  the limit. The interface associated with the default route is considered  to be the outside Internet interface. If there is no default route,  hosts on all interfaces are counted toward the limit. In transparent  mode, the interface with the lowest number of hosts is counted towards  the host limit. See the show local-host command to view host limits.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa82/license/license82.html#wp204305

- Jouni

0 Helpful

Go to solution
Ed Willson
Level 1
Level 1
In response to Jouni Forss

‎01-15-2014 05:17 PM

Thanks! That was my though as well. I'm willing to have a bit more complexity to save a couple hundred bucks for my personal setup.

Thanks,

    Ed

0 Helpful

Go to solution
prateeve
Level 1
Level 1

‎01-15-2014 05:55 AM

Hi,

Yes, ASA would stop it when it reaches 10, as it count the users connected on teh basis of it's connection table, so as soon the connections are made by more than 10 internal ip's , it would would go ahead and drop that connection.

- Prateek Verma

0 Helpful

Go to solution
Oscar Castillo
Level 1
Level 1

‎01-16-2014 10:20 AM

Set a Router behind the ASA..

Try this:

interface FastEthernet0/1

description Interface Out to the ASA

ip address 192.168.1.2 255.255.255.0

ip nat outside

speed auto

half-duplex

-

interface FastEthernet0/0

description Interface Connecting to the Switch

ip address 172.16.1.1 255.255.240.0

ip nat inside

duplex auto

speed auto

ip nat inside source list 100 interface FastEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 192.168.1.1 - (ASA Gateway)

access-list 100 permit ip 172.16.0.0 0.0.0.255 any

access-list 100 remark [Acess-List to NAT]

ip dhcp pool Switch-LA

   network 172.16.0.0 255.255.240.0

   domain-name nice.com

   dns-server 4.2.2.2 8.8.8.8 or ISP

   default-router 172.16.1.1 - Outside -

   lease 7

Hook a switch behind outside fa0/0 - vlan 1 will do the magic...

Regards,

Oscar

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card