cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1047
Views
17
Helpful
18
Replies
Highlighted
Beginner

F'n Cisco and the run around lic question

                   Can a pix 501 firewall VPN be created with a 10 user restricted license? It seems impossible to get an answer because Cisco's black mailing EOL policy.

ver 6 3.5

18 REPLIES 18
Highlighted
Beginner

Hi,

It might be a good idea to also post the "show version" output of your PIX, also, what specific type of VPN are you thinking of? IPsec site to site, remote access or SSL remote access?

Jonnathan

Highlighted

The question is can you use a vpn...any type of vpn with a 10 user restricted license?

But if it matters, I want remote clients to connect to a windows server.

Highlighted

So the VPN endpoint will be the WIndows server and not the PIX itself right? If so, the PIX will be working as a pass-through device and VPN licenses won't have anything to do, the concurrent number of connections is what will limit the VPN traffic, but you will be able to build the tunnel with no problems.

Further reading on PIX licensing:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/product_data_sheet09186a00800b0d85.html

As you can see on table 4 the number of connections allowed with a 10 user license is 7500, which doesn't mean 7500 users. but 7500 connections between your local network and the VPN traffic.

HTH

Jonnathan

Highlighted

I would like the pix to act as a vpn and not a passthrough.

...but it seems impossible to get a freaking yes or no answer as to CAN A PIX 501 ACT as a VPN WITH A 10 USER RESTRICTED LICENSE?

Highlighted

@ Jonathan Rojas

Please stop replying because you simply cannot answer the yes or no question and are adding to my frustrations with Cisco.

...the runaround continues. Sigh.

Highlighted

You would get a yes or no answer if you were more specific from the very beginning, VPN is a wide technology and unfortunately answer are never that simple.

Also, if you take a look at the link I provided you will find your own answer:

"These licenses activate encryption services on  Cisco PIX Security Appliances, which are required before using certain  features including VPN, secure remote management, and more"

So it doesn't depend on your users license, it depends on your encryption license:

You can check it by doing a "show version" and looking at the following outputs:

VPN-DES                           : Enabled       

VPN-3DES-AES                      : Enabled

Highlighted

Can anyone tell me if this pix 501 can be used as a VPN based on the following?

Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

pixfirewall up 3 mins 39 secs

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz

Flash E28F640J3 @ 0x3000000, 8MB

BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0016.c7f9.8329, irq 9

1: ethernet1: address is 0016.c7f9.832c, irq 10

Licensed Features:

Failover:                    Disabled

VPN-DES:                     Enabled

VPN-3DES-AES:                Enabled

Maximum Physical Interfaces: 2

Maximum Interfaces:          2

Cut-through Proxy:           Enabled

Guards:                      Enabled

URL-filtering:               Enabled

Inside Hosts:                10

Throughput:                  Unlimited

IKE peers:                   10

This PIX has a Restricted (R) license.

Serial Number: 810341925 (0x304cd625)

Running Activation Key: 0x2af002a0 0xa3e7fb8f 0x1ab32f96 0xdb3c1af3

Configuration has not been modified since last system restart.

Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

pixfirewall up 3 mins 39 secs

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz

Flash E28F640J3 @ 0x3000000, 8MB

BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0016.c7f9.8329, irq 9

1: ethernet1: address is 0016.c7f9.832c, irq 10

Licensed Features:

Failover:                    Disabled

VPN-DES:                     Enabled

VPN-3DES-AES:                Enabled

Maximum Physical Interfaces: 2

Maximum Interfaces:          2

Cut-through Proxy:           Enabled

Guards:                      Enabled

URL-filtering:               Enabled

Inside Hosts:                10

Throughput:                  Unlimited

IKE peers:                   10

This PIX has a Restricted (R) license.

Serial Number: 810341925 (0x304cd625)

Running Activation Key: 0x2af002a0 0xa3e7fb8f 0x1ab32f96 0xdb3c1af3

Configuration has not been modified since last system restart.

Highlighted

Yes, for 10 users.

Highlighted

Are you saying yes based on

IKE peers: 10?

Highlighted

Based on three outputs:

VPN-DES:                     Enabled

VPN-3DES-AES:                Enabled

Which tells me encryption is enabled on the PIX, and from:

IKE peers:                   10

Which specifies the number of users.

Highlighted

Hi,

To add some more details about the 10 hosts:

A local-host connection on the PIX is a combination of an XLATE (translation) and a CONN (connection).

This PIX-501 with 10-user limit, will allow a maximun of 10 local-hosts from inside to outside.

Use the "show local-host" command to check them out.

PIX# show local

Interface inside: 10 active, 10 maximum active

A new translation creates a local-host, then it will count as 1 user.

A 11 user will not be allowed.

Thanks.

Portu.

Please rate any posts you find useful.

Highlighted

Thanks that was helpful.

Do i have to use the Cisco VPN client (because it seems impossible to download)?

Highlighted

Hi Dennis,

You can download the IPsec client, check this out:

VPN Client Software for x86 32-bit version of XP/Vista/Windows 7 - Microsoft Installer

Note: There you will find the client for x86 and x64.

The PIX only supports this legacy VPN client.

Let me know.

Portu.

Please rate any post you find helpful.

Highlighted

You need a valid support contract to use a Cisco product and the proper download software needed to use the Cisco product that you purchased.

...again, if I can't use (get) the Cisco VPN client, is the PIX going to be useless as a VPN?

My point is that I'm not paying Cisco another dime to get something to work. So if I don't pay an extoratioin fee to get the client.