Dear

setting the below configuration the inside devices are not able to nat to outside

runing packet tracer Type: HOST-LIMIT is Dropping althought there is only 1 user

please advise

sh run

: Saved

:

ASA Version 8.4(6)

!

enable password

passwd

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.210.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.50 255.255.255.0

!

boot system disk0:/asa846-k8.bin

ftp mode passive

clock timezone Athens 2

clock summer-time Athens recurring last Sun Mar 23:00 last Sun Oct 23:00

object network obj-192.168.210.11

host 192.168.210.11

object network obj-192.168.210.10

host 192.168.210.10

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-192.168.210.0-01

subnet 192.168.210.0 255.255.255.0

access-list incoming extended permit tcp any any eq 5902

access-list incoming extended permit tcp any any eq 5900

access-list incoming extended permit icmp any any

access-list incoming extended permit udp any any eq snmp

access-list outgoing extended permit ip any any

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj-192.168.210.11

nat (inside,outside) static interface service tcp 5900 5900

object network obj-192.168.210.10

nat (inside,outside) static interface service tcp 5900 5902

object network obj-192.168.210.0-01

nat (inside,outside) dynamic interface

access-group outgoing in interface inside

access-group incoming in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.1.254 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

webvpn

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:83319ef6c35b6031987e5c7704d89f3b

: end

#    sh local-host

Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.

Current host count: 0, towards licensed host limit of: 10

Interface outside: 1 active, 4 maximum active, 0 denied

Interface inside: 0 active, 2 maximum active, 0 denied

Interface _internal_loopback: 0 active, 0 maximum active, 0 denied

# packet-tracer in in tcp 192.168.210.10 123 192.168.1.254 www

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.1.0     255.255.255.0   outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outgoing in interface inside

access-list outgoing extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj-192.168.210.0-01

nat (inside,outside) dynamic interface

Additional Information:

Dynamic translate 192.168.210.10/123 to 192.168.1.50/123

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule