Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
0
Helpful
3
Replies

question about asa5505

rbarreir
Level 1
Level 1

‎07-20-2013 06:50 AM - edited ‎03-11-2019 07:14 PM

Hi,
I have read several posts, but i can't find one that helps with my doubts
I know if a have a 5505 with a 10 user license y will limit to 10 the IPs that pass from inside to outside, but from inside to dmz? Also this are users not connections? Is that right.
The last doubt is if i have a sitetosite vpn to an asa 5520, will the 10 user limit applies to the vpn?.
Hope sonebody can help me with thie
Regards

Juan Pablo Hidalgo

Sent from Cisco Technical Support iPhone App

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎07-20-2013 07:28 AM

Hi,

Here is a quote from a Cisco document

In routed mode, hosts on the inside (Business and  Home VLANs) count towards the limit when they communicate with the  outside (Internet VLAN), including when the inside initiates a  connection to the outside as well as when the outside initiates a  connection to the inside. Note that even when the outside initiates a  connection to the inside, outside hosts are not counted towards the limit; only the inside hosts count. Hosts that  initiate traffic between Business and Home are also not counted towards  the limit. The interface associated with the default route is considered  to be the outside Internet interface. If there is no default route,  hosts on all interfaces are counted toward the limit. In transparent  mode, the interface with the lowest number of hosts is counted towards  the host limit.
See the show local-host command to view host limits.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.html#wp1150495

So basically only the number of hosts behind the interfaces which DONT have the default route are counted towards your user limit no matter how many different destination IP addresses you are connecting to.

So in the case of your L2L VPN, the remote site and the amount of hosts it has doesnt really matter. As long as the combined amount of hosts behind your ASAs local interfaces dont go over the user limit of the license, you should be fine.

As the quote says, you can check the "show local-host" command output what your limit is and how many hosts are currently counted towards that limit. The output is at the very start.

- Jouni

0 Helpful

rbarreir
Level 1
Level 1

‎07-20-2013 08:10 AM

Hi, thanks forbyour reply,
So that means if the vpn users from rhe asa 5505 are 11 the last one won't be able to connect to the vpn peers, so the user limit user is important for this matter
Regards

Juan Pablo

Sent from Cisco Technical Support iPhone App

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to rbarreir

‎07-20-2013 09:42 AM

Hi,

If you have "inside" and "dmz" interface then the only thing you really have to look out for is that the amount of hosts behind those interfaces dont go over 10. Then you will see that some single host wont be able to form connections through the firewall.

The "show local-host" command (as said before) should show how close to that limit you are.

Please remember to mark a reply as the correct reply if it answered your question.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card