Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
770
Views
0
Helpful
3
Replies

ASA users license

justanas1
Level 1
Level 1

‎01-29-2007 11:39 PM - edited ‎03-11-2019 02:25 AM

Dear Sir,

i have a network connected to the internet with ISA and PIX as the following:

LAN----ISA----PIX----Internet

where the ISA is doing PAT to privates IP, and the PIX doing static NAT for the private IP of the ISA to real ip.

now i want to replace the PIX firewall with ASA anti-x bundle firewall.

i want to know that the ASA will consider the ISA as single user, or the ASA will consider the ISA as the total of users in the LAN.

Thanks

Labels:
0 Helpful
3 Replies 3

sachinraja
Level 9
Level 9

‎01-29-2007 11:51 PM

Hello anas,

it all depends on how you configure the NAT... if you are configuring a static for the ISA private IP to a public IP, the ASA will consider only a single NAT translation for these IP's.... this can be seen from the "show xlate" command...but depending on the user traffic, there can be multiple connections formed on the ASA.. this can be seen from the "show conn" command... so, it is straight forward, there will be one translation happening, but multiple connections for the same translation...

Hope this helps.. all the best.. rate replies if found useful..

Raj

0 Helpful

justanas1
Level 1
Level 1
In response to sachinraja

‎01-30-2007 03:34 AM

Thank you sir,

so i want to know the ASA treate the user as connection ar translation

In my scenarion the ISA is one translation and doing PAT, and it appear to the ASA as single IP with multiple connection from this IP

Thanks

0 Helpful

sachinraja
Level 9
Level 9
In response to justanas1

‎01-30-2007 05:55 AM

Yes.. u are right.. the ISA does the PAT and hits the ASA with a single IP.. the ASA sees this as a single translation with huge number of connections, for eg, 1 user might access yahoo, another hotmail etc.... so, u will have a lot of connections on the "show conn" output...

but why do u need 2 firewalls here ?? cant the users directly sit on ASA inside interface ?? and if the ISA has to do some kinda proxying, let it act only as a proxy server on the inside LAN.. I think you can reconfigure your inside LAN, and the PCs can directly talk to ASA inside interface. Managing and troubleshooting becomes really easy then... with this setup, the http traffic goes to the ISA for proxy, and all other traffic directly goes to the ASA, which makes it much more simple.. Just my thought ...

Hope this helps.. if u need any more assistance, do reply.. or else close the case, which can be of help to others.. rate replies if found useful..

Raj

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card