09-14-2012 08:23 AM
Can a pix 501 firewall VPN be created with a 10 user restricted license? It seems impossible to get an answer because Cisco's black mailing EOL policy.
ver 6 3.5
09-14-2012 08:31 AM
Hi,
It might be a good idea to also post the "show version" output of your PIX, also, what specific type of VPN are you thinking of? IPsec site to site, remote access or SSL remote access?
Jonnathan
09-14-2012 08:39 AM
The question is can you use a vpn...any type of vpn with a 10 user restricted license?
But if it matters, I want remote clients to connect to a windows server.
09-14-2012 08:48 AM
So the VPN endpoint will be the WIndows server and not the PIX itself right? If so, the PIX will be working as a pass-through device and VPN licenses won't have anything to do, the concurrent number of connections is what will limit the VPN traffic, but you will be able to build the tunnel with no problems.
Further reading on PIX licensing:
As you can see on table 4 the number of connections allowed with a 10 user license is 7500, which doesn't mean 7500 users. but 7500 connections between your local network and the VPN traffic.
HTH
Jonnathan
09-14-2012 08:52 AM
I would like the pix to act as a vpn and not a passthrough.
...but it seems impossible to get a freaking yes or no answer as to CAN A PIX 501 ACT as a VPN WITH A 10 USER RESTRICTED LICENSE?
09-14-2012 08:57 AM
@ Jonathan Rojas
Please stop replying because you simply cannot answer the yes or no question and are adding to my frustrations with Cisco.
...the runaround continues. Sigh.
09-14-2012 09:00 AM
You would get a yes or no answer if you were more specific from the very beginning, VPN is a wide technology and unfortunately answer are never that simple.
Also, if you take a look at the link I provided you will find your own answer:
"These licenses activate encryption services on Cisco PIX Security Appliances, which are required before using certain features including VPN, secure remote management, and more"
So it doesn't depend on your users license, it depends on your encryption license:
You can check it by doing a "show version" and looking at the following outputs:
VPN-DES : Enabled
VPN-3DES-AES : Enabled
09-14-2012 09:28 AM
Can anyone tell me if this pix 501 can be used as a VPN based on the following?
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by morlee
pixfirewall up 3 mins 39 secs
Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
0: ethernet0: address is 0016.c7f9.8329, irq 9
1: ethernet1: address is 0016.c7f9.832c, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 10
Throughput: Unlimited
IKE peers: 10
This PIX has a Restricted (R) license.
Serial Number: 810341925 (0x304cd625)
Running Activation Key: 0x2af002a0 0xa3e7fb8f 0x1ab32f96 0xdb3c1af3
Configuration has not been modified since last system restart.
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by morlee
pixfirewall up 3 mins 39 secs
Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
0: ethernet0: address is 0016.c7f9.8329, irq 9
1: ethernet1: address is 0016.c7f9.832c, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 10
Throughput: Unlimited
IKE peers: 10
This PIX has a Restricted (R) license.
Serial Number: 810341925 (0x304cd625)
Running Activation Key: 0x2af002a0 0xa3e7fb8f 0x1ab32f96 0xdb3c1af3
Configuration has not been modified since last system restart.
09-14-2012 09:31 AM
Yes, for 10 users.
09-14-2012 09:38 AM
Are you saying yes based on
IKE peers: 10?
09-14-2012 09:40 AM
Based on three outputs:
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Which tells me encryption is enabled on the PIX, and from:
IKE peers: 10
Which specifies the number of users.
09-14-2012 09:48 AM
Hi,
To add some more details about the 10 hosts:
A local-host connection on the PIX is a combination of an XLATE (translation) and a CONN (connection).
This PIX-501 with 10-user limit, will allow a maximun of 10 local-hosts from inside to outside.
Use the "show local-host" command to check them out.
PIX# show local
Interface inside: 10 active, 10 maximum active
A new translation creates a local-host, then it will count as 1 user.
A 11 user will not be allowed.
Thanks.
Portu.
Please rate any posts you find useful.
09-14-2012 09:58 AM
Thanks that was helpful.
Do i have to use the Cisco VPN client (because it seems impossible to download)?
09-14-2012 10:06 AM
Hi Dennis,
You can download the IPsec client, check this out:
VPN Client Software for x86 32-bit version of XP/Vista/Windows 7 - Microsoft Installer
Note: There you will find the client for x86 and x64.
The PIX only supports this legacy VPN client.
Let me know.
Portu.
Please rate any post you find helpful.
09-14-2012 10:15 AM
You need a valid support contract to use a Cisco product and the proper download software needed to use the Cisco product that you purchased.
...again, if I can't use (get) the Cisco VPN client, is the PIX going to be useless as a VPN?
My point is that I'm not paying Cisco another dime to get something to work. So if I don't pay an extoratioin fee to get the client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide