Have no intention or interest in avoiding the purchase of required licenses. In this particular application an additional access switch is required anyway. We are simply attempting to ascertain whether or not additional licenses must be purchased to resolve the random denial of service problem at this location.

And I trust your use of the term "cheat" was in reference to a work-around, or potential solution...

Hi,

Sorry, I was not trying to offense you. What I tried to say is that in your scenario 10 hosts are no more than 10 hosts. Even worst - you may have less than this number of hosts, but in certain circumstances the ASA may block your inside hosts, even if they are less than the licensing limitation. In this case I personally think that ASA "cheats". But this is the way that it works.

Regards,

Vasil

Hello. In regards to your 10 hosts and the 32 DHCP. The ASA will serve multiple IP address, up to 32 to the local LAN. The issue that exists with hosts is the machines that need to translate to the internet. Only 10 would be allowed, but you may have many IP addresses, like printers, etc. That may exist.

Thank you, this is what I was looking for. Having scoured the support site for detail on HOW the "Inside Hosts" limitation is actually implemented, available documentation seems to lack detail and is ambiguous at best. For example, the document below refers to a maximum of 32 DHCP clients when using a 10-user license. How is this possible?

No mention of how or when inside hosts that are no longer connected are removed from the count etc...

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wp1301770

“For a 10-user license, the max. DHCP clients is 32. For 50 users, the max. is 128. For unlimited users, the max. is 250, which is the max. for other models.”

“In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits.”

This has been a really valuable thread to read; as I must say, your assessment that the "available documentation ... lack[s] detail and is ambiguous at best" is, if anything, generous. There's no justification for the level of uncertainty the average buyer is faced with trying to decide what type of license is needed.

I can offer some clarification on one point:

Your question about "How is this possible?" regarding this documentation statement:

“For a 10-user license, the max. DHCP clients is 32. For 50 users, the max. is 128. For unlimited users, the max. is 250, which is the max. for other models.”

The way this is implemented is that you can only have the indicated number of IPs in the pool for the DHCP server that's built into the ASA. That is, on my base 5505 (10 inside hosts), the biggest DHCP pool I can define is 32 IPs--if you try to put in a larger range, it just rejects it. I haven't tried putting say 16 on an inside address and 16 on a dmz address, but that *might* work (not sure how sophisticated it is). Now, I also have a wireless access point/router that does NAT/PAT and it gives me a much larger pool--so, in my case, where many of my devices' NICs do not have public IPs, I have no significant practical limit on the number of devices that can "see out" to the Internet via NAT/PAT through the ASA, but only 10 IPs visible from the Internet. Some of those NAT/PAT addresses are available directly off the ASA's DHCP server and a whole different subnet is available from the WLAN router's DHCP server. My understanding is that only public IPs count as "inside hosts."

(Maybe this will be useful to someone; I trust I didn't simply muddy the waters.)