Re: PIX 501 issue

byju70 · ‎12-23-2003

I have a Pix 501 with 10 user licence at a remote office, The remote network has 8 PC.s connecting to my corporate office. I put this 501 in remote network. We have PAT & Ipsec tunneling at remote office, But the PIX is hanging and not allowing more than 3 tunnels. IS it a licence issue.

10 user licence means 10 PC can have multiple sessions like PAT, TElnet,tunnel etc or it means I can have only 10 sessions thro the Pix. Cisco documentation is not clear.

Please provide your valuable suggestion. What license should I go for.REmote office access outside internet/ MAil server and ipsec tunnel to our AS400 server.

THankx a lot

gfullage · ‎12-23-2003

User licence is different to ISAKMP Peer licence numbers. Do a "sho ver" on your PIX and check the values as indicated below:

---------------------------------------------

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES: Enabled

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

Websense: Enabled

Inside Hosts: 10

Throughput: Limited

ISAKMP peers: 5

---------------------------------------------

If you only have 3 ISAKMP Peers then you'll only be able to build 3 tunnels to 3 different hosts (that includes LAN-to-LAN and client tunnels).

As for what constitutes an "inside host", it is:

- has sent or received traffic through the PIX in the last xlate timeout seconds (five minutes with the 501 default config).

- has a UDP or TCP connection

- has a NAT session

- has a user authentication session

So basically a PC sending traffic through the PIX is an "inside host". That one PC can have any number of connections and translations, that number doesn't matter.