Show conn on PIX

mravireddy · ‎02-28-2005

In a PIX with restricted license,if a connection is made from inside(internal hosts) to DMZ , will this also be considered towards the number of connections. Also will the connections from outside hosts to inside network be considered as a new connection counting towards the license.

Please clarify.

scoclayton · ‎02-28-2005

The PIX has not enforced connection limits since the 5.x code. Here is a summary of connection based licenses vs feature based licenses:

Connection based license vs. Feature based license

1.) PIX code 4.x is licensed based on the number of connections through it (regardless of the hardware being used).

2.) PIX code 5.x is licensed based on Features (eg: Failover, DES, 3DES) again - regardless of the hardware being used.

3.) Connection or Feature licenses are determined by the Activation Key. That being said, if a customer is running a 4.x code that is connection based, and upgrades to a 5.x code, but *does not* upgrade their Activation Key, then the 5.x code will still be connection based - as reported in a "show ver". But, this connection limit will not be enforced.

Does this help?

Scott

rakeshsharma3000 · ‎02-28-2005

Hi Scott

This is an interesting info. So you mean to say conn limit is not enforced. So why in the datasheets they mention all this comparison between the different models. So can I say model 501 will support connections much more than what is mentioned in the datasheet.

scoclayton · ‎02-28-2005

Nope, and I think you are missing my point.

The datasheets for each PIX list the amount of concurrent connections supported on each platform, based on the hardware. There are no enforcements built into the PIX software that say a PIX 506E will only allow 25,000 concurrent connections. This simply means, that we (Cisco) have tested a 506E in the lab and have been able to get 25,000 concurrent connections to work through this platform.

The 501 PIX is the only PIX hardware that is licensed on a "per-user" basis. This is simply to allow pricing breaks for smaller user offices. The 501 does not limit the number of connections through it but rather limits the number of "local users" to either 10 users, 50 users, or unlimited.

Older PIX software (in the 4.X days) used to be sold with a connection based license. We found that this did not scale and got rid of it quite sometime ago. This is what I though the original question was about.

But to summarize your question, each PIX platform will have different capabilities for concurrent connections based on the hardware. While these numbers are not enforced in software, they serve as guides for sizing the proper platform needed.

Does this help?

Scott

mravireddy · ‎02-28-2005

Hi Scott,

Thanks for the info.That was very helpful and clear on the issue of license vs connections.Just one more clarification. I hope all connections from inside hosts to outside and outside hosts to inside or DMZ are counted as concurrent connections.Will the connections from Inside hosts to a server in DMZ, also counted towards a number of concurrent connections!.

scoclayton · ‎03-03-2005

Yes, all unique IP based connections from one interface to another interface on the PIX are considered concurrent connections. The limitation is really based on memory. Each connection must be tracked which takes up an explicit amount of memory in the PIX. This is really where the limitations exist.

Scott