http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/license.html

this link will help with licenseing

Adding a bit more to Manisha's snippet

For the purposes of node accounting, ASA system module must count nodes on all interfaces except the interface or interfaces with the lowest security level. If there is more than one interface (but not all) with the lowest security level, ASA system module must exclude from the node accounting all of the lowest security level interfaces. If all interfaces are at the same security level, ASA system module must count all interfaces. In multi mode ASA system module applies this algorithm to each context, and the total daily node is the sum of all contexts.

NOTE*:ASA must use the notion of nodes for enforcement of user licenses, where a node is defined as a distinct source IP address or the address of a device that is internal to the enterprise

-regards

Ok so based on the answers, it sounds like it means "10 active simultaneous TCP connections can cross from one VLAN to another at any given time".  If this is the case, I do have a few follow-up questions:

- Does this mean we can assign as many IPs as we want on the inside VLAN? (i.e.: one system with 100 IPs) as long as only 10 connections are crossing from one VLAN to another?

- Does this mean that even once the 10 active simultaneous connections are reached, hosts within the same VLAN can still communicate with each other at will (since it doesn't get routed to another VLAN)

- Would there be a limit on the number of MACs which can be on the inside VLAN?  i.e.: an ASA5505 only has 8 ports, but what if one of those machines is running VMs?  Will it be a problem having more than 10 different MACs on the inside VLAN?

- Will the ASA accept multiple (i.e.:  >10) static xlate connection if my license is only a basic one?

TIA,

Erik

Hello,

It does not really care how many hosts you have in each vlan. The trick here is that only 10 hosts can do connections to the outside world or the other vlan, it is not based on just 10 tcp connections. 1 host can have as much as connections he wants, the problem is that when you reach to 10 hosts, the number 11 is not going to be able to go out to the other vlans.

But basically to answer your questions, you can have as much host as you want on each vlan, only 10 can go through the ASA to the other vlans.

Hope this makes sense.

Mike

It's very late right now so sorry for the question...

How exactly does the ASA counts the 10 hosts?

The reason I ask is because I used to think that the ASA counted the IPs for the hosts (10 hosts = 10 IPs)

But what if there's a PAT device between the hosts and the ASA? The ASA will see the 300 hosts that I have as a single IP.

I know the ASA is not stupid to think there's a single host when really having 300 being PATed, so I want to ask how exactly the ASA counts up to 10 hosts?

Thank you all,

Federico.

Hi Fredrico,

Even if there is a patting device that does patting, for each patted IP address, the ASA maintains a connection  entry in its state table. It uses source ip, destination ip, source port , destination port and protocol to indentofy each flow.

So, once 10 patted IP connections are made through the asa, the ones coming in after that are dropped.

hope that answers your query.

Cheers!

Manisha

Fredrico/Manisha....I am afraid thats not true, like I said earlier ASA  uses the notion of nodes for enforcement of user licenses,  where a node is defined as a distinct source IP address. This means that ASA/w (10 user limit license) in no ways can track machines>10 different IPs coming from behind a PAT address, ASA will see it coming from one single node (i.e from PAT address) and allow the traffic through.

Hmmmm that makes more sense but still something I don't understand...

If i'm limited because I purchased an ASA 5505 with 10-user license, does it mean that I can have a PAT device in between and have X number of machines (let's say a 100) going through the ASA at the same time???

Does not make much sense having to purchase a 50-user or unlimited license right?

Federico.

Hello Federico,

Lets say that you have a host on the inside, and he is a massive server that has N connections to the outside, how would the firewall now if that is a PAT device or just a Server?

On the local host count it will do as 1 only.

Cheers.

Mike

>If i'm limited because I purchased an ASA 5505 with 10-user license,  does it mean that I can have a PAT device in between and have X number  of >machines (let's say a 100) going through the ASA at the same time???

>Does not make much sense having to purchase a 50-user or unlimited license right?

Answer--->Whats the better deal for 20 different hosts to go out (lets say)

a) Purchase a 50 user license on ASA Vs,

b)Purchase ASA/w 10 user license + Purchase a router X that may do Patting, now  this router X better be a good one,costly enough not just to do patting but also protocol inspection to support voice/media/audio  traffic on patting

I would choose deal a# anyday

-regards

Abi,

Don't get me wrong I agree with you... I was saying that in case you happen to have a PAT device you can then use it to trick the ASA to allow more than 10 hosts through it.

Federico.

Hi Fed, Yes you are absolutely correct on that....

-regards