Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12047
Views
5
Helpful
9
Replies

ASA5505 Inside Hosts limit

Go to solution
Patrick McHenry
Level 3
Level 3

‎02-19-2012 04:17 AM - edited ‎03-11-2019 03:32 PM

Hi,

The ASA5505 I am working with has this from the show version:

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 10
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
VPN Peers                   : 10
WebVPN Peers                : 2
Dual ISPs                   : Disabled
VLAN Trunk Ports            : 0

This platform has a Base license.

Does the Insides Hosts  :10 line mean that only 10 devices can be connected to the firewall at one time? I would like to connect an AP to one of the PoE ports and have possibly more than 10 connected. Is this possible with this ASA5505?

Thanks, Pat.

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7

‎02-19-2012 05:22 AM

Hi Patrick,


"In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit when they communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the outside initiates a connection to the inside, outside hosts are

not

counted towards the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the

show local-host

command to view host limits."

So to answer your question, you're ok if you will connect an AP, the limit is refering to the hosts that need access from inside to outside.

Dan

View solution in original post

0 Helpful

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7
In response to Patrick McHenry

‎02-19-2012 09:13 AM

Hi Patrick ,

The text as it is, if taken from ASA Command Line Configuration :

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.html#wp1012343

My undestanding is that only traffic from any inside hosts that generate traffic to outside counts.

Dan

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎02-19-2012 01:58 PM

Hello Patrick,

More than 10 users going to the internet trough the firewall.

Nop, that is not posible.

You can do a show local-host and you will see a report of the local users connection and please notice the first line saying that you reach the maximum number of host due to the license restriction.

So in this case you will need to get the proper license to do it ( 50 user license or UL (unlimit license)

Do rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎02-19-2012 02:10 PM

Hello Patrick,

Not at all, I work for the security team so I do not handle prices

But here are both licenses, so you can call your re-seller and ask him about it.

ASA5505-50-BUN-K9 = 50 user bundle

ASA5505-UL-BUN-K9 = Unlimit users

Regards,

Do rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7

‎02-19-2012 05:22 AM

Hi Patrick,


"In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit when they communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the outside initiates a connection to the inside, outside hosts are

not

counted towards the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the

show local-host

command to view host limits."

So to answer your question, you're ok if you will connect an AP, the limit is refering to the hosts that need access from inside to outside.

Dan

0 Helpful

Go to solution
Patrick McHenry
Level 3
Level 3
In response to Dan-Ciprian Cicioiu

‎02-19-2012 06:54 AM

I would like users - possibly more than 10 at a time to be able to connect to the Internet. I was going to connect the 5505 to a Comcast Business Internet circuit and hang a couple of 1260 APs from the PoE interfaces. Now I am wondering if this is possible.

One line in your post is confusing me:

"Hosts that initiate traffic between Business and Home are also not counted towards the limit."

Did you mean to say:

Hosts that initiate traffic between Business and Home are also counted towards the limit. ?

Thanks, Pat.

0 Helpful

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7
In response to Patrick McHenry

‎02-19-2012 09:13 AM

Hi Patrick ,

The text as it is, if taken from ASA Command Line Configuration :

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.html#wp1012343

My undestanding is that only traffic from any inside hosts that generate traffic to outside counts.

Dan

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎02-19-2012 01:58 PM

Hello Patrick,

More than 10 users going to the internet trough the firewall.

Nop, that is not posible.

You can do a show local-host and you will see a report of the local users connection and please notice the first line saying that you reach the maximum number of host due to the license restriction.

So in this case you will need to get the proper license to do it ( 50 user license or UL (unlimit license)

Do rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Patrick McHenry
Level 3
Level 3
In response to Julio Carvajal

‎02-19-2012 02:02 PM

Julio,

Do you know approximately how much a 50 user license would be?

Thanks, Pat

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎02-19-2012 02:10 PM

Hello Patrick,

Not at all, I work for the security team so I do not handle prices

But here are both licenses, so you can call your re-seller and ask him about it.

ASA5505-50-BUN-K9 = 50 user bundle

ASA5505-UL-BUN-K9 = Unlimit users

Regards,

Do rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Patrick McHenry
Level 3
Level 3
In response to Julio Carvajal

‎02-19-2012 02:20 PM

Julio one more question,

The 3 VLAN limit is slightly confusing. I know the outside interface will be VLAN 1 and the inside interface will be VLAN 2, but will I be able to create a 3rd VLAN. I would like to use this Internet circuit for our own IT staff and Vendors that might work in different locations in the building and keep them seperate via an access-list. I will be able to move the APs where ever I want via a non-routed VLAN and we were doing this with a Linksys router and some other routers acting as APs but, it wasn't reliable thus the reason we are trying to use a little higher grade equipment without breaking the bank. We had this 5505 lying around.

0 Helpful

Go to solution
Amit Rai
Level 1
Level 1
In response to Patrick McHenry

‎02-21-2012 05:48 AM

Hi Patrick,

you can create 3 vlans like inside, outside and dmz however as you have dmz restricted license you would not be able to initiate the communication between all of them. f

For example, you have one VLAN assigned to the outside for Internet  access, one VLAN assigned to an inside work network, and a third VLAN  assigned to your home network. The home network does not need to access  the work network, so you can use the no forward interface command on the home VLAN; the work network can access the home network, but the home network cannot access the work network.

If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no forward interface command before the nameif command on the third interface; the security appliance does not allow  three fully functioning VLAN interfaces with the Base license on the ASA  5505 adaptive security appliance.

Go to solution
Patrick McHenry
Level 3
Level 3
In response to Amit Rai

‎02-22-2012 04:39 AM

Amit,

Thanks for the response.

Are you saying that if I create this third interface and do as you say, will I be able to communicate betwwen the third VLAN and the outside VLAN? Because if I can't, then there would be no reason for this as I want both the inside VLAN and the third VLAN to got to the Internet. Also,if they can, will I be able to have more than 10 users going to the Internet at once?

Thanks, Pat.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card