07-20-2013 06:50 AM - edited 03-11-2019 07:14 PM
Hi,
I have read several posts, but i can't find one that helps with my doubts
I know if a have a 5505 with a 10 user license y will limit to 10 the IPs that pass from inside to outside, but from inside to dmz? Also this are users not connections? Is that right.
The last doubt is if i have a sitetosite vpn to an asa 5520, will the 10 user limit applies to the vpn?.
Hope sonebody can help me with thie
Regards
Juan Pablo Hidalgo
Sent from Cisco Technical Support iPhone App
07-20-2013 07:28 AM
Hi,
Here is a quote from a Cisco document
In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit when they communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the outside initiates a connection to the inside, outside hosts are not counted towards the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit.
See the show local-host command to view host limits.
Source:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.html#wp1150495
So basically only the number of hosts behind the interfaces which DONT have the default route are counted towards your user limit no matter how many different destination IP addresses you are connecting to.
So in the case of your L2L VPN, the remote site and the amount of hosts it has doesnt really matter. As long as the combined amount of hosts behind your ASAs local interfaces dont go over the user limit of the license, you should be fine.
As the quote says, you can check the "show local-host" command output what your limit is and how many hosts are currently counted towards that limit. The output is at the very start.
- Jouni
07-20-2013 08:10 AM
Hi, thanks forbyour reply,
So that means if the vpn users from rhe asa 5505 are 11 the last one won't be able to connect to the vpn peers, so the user limit user is important for this matter
Regards
Juan Pablo
Sent from Cisco Technical Support iPhone App
07-20-2013 09:42 AM
Hi,
If you have "inside" and "dmz" interface then the only thing you really have to look out for is that the amount of hosts behind those interfaces dont go over 10. Then you will see that some single host wont be able to form connections through the firewall.
The "show local-host" command (as said before) should show how close to that limit you are.
Please remember to mark a reply as the correct reply if it answered your question.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide